Re: [PATCH v6.1] netfilter: nf_tables: use timestamp to check for set element timeout

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Pablo,

Thank you for the update and reviewing the patch. We will wait for
your patch to be applied to the LTS and then consume the latest 6.1
kernel.

------



Best regards,

Kuntal

On Wed, Jun 12, 2024 at 6:15 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> Hi,
>
> Thanks for your patch.
>
> rbtree GC chunk is not correct though. In 6.1, GC runs via workqueue,
> so the cached timestamp cannot be used in such case.
>
> Another possibility is to pull in the patch dependency to run GC
> synchronously.
>
> I am preparing a batch of updates for -stable, let me pick up on your
> patch.
>
> Thanks.
>
> On Fri, Jun 07, 2024 at 04:01:46PM -0700, Kuntal Nayak wrote:
> > diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
> > index 5bf5572e9..c4c92192c 100644
> > --- a/net/netfilter/nft_set_rbtree.c
> > +++ b/net/netfilter/nft_set_rbtree.c
> [...]
> > @@ -622,12 +624,14 @@ static void nft_rbtree_gc(struct work_struct *work)
> >       struct nft_set *set;
> >       unsigned int gc_seq;
> >       struct net *net;
> > +     u64 tstamp;
> >
> >       priv = container_of(work, struct nft_rbtree, gc_work.work);
> >       set  = nft_set_container_of(priv);
> >       net  = read_pnet(&set->net);
> >       nft_net = nft_pernet(net);
> >       gc_seq  = READ_ONCE(nft_net->gc_seq);
> > +     tstamp = nft_net_tstamp(net);
> >
> >       if (nft_set_gc_is_pending(set))
> >               goto done;
> > @@ -659,7 +663,7 @@ static void nft_rbtree_gc(struct work_struct *work)
> >                       rbe_end = rbe;
> >                       continue;
> >               }
> > -             if (!nft_set_elem_expired(&rbe->ext))
> > +             if (!__nft_set_elem_expired(&rbe->ext, tstamp))
> >                       continue;
> >
> >               nft_set_elem_dead(&rbe->ext);
> > --
> > 2.39.3
> >





[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux