Hi,
This patchset adds support for updating set element timeouts. This
includes 5 fixes, then one patch to consolidate set element timeout
extensions, and finally the new marker for elements that never expire
and support for element timeout updates.
Patch #1 fixes a bug with timeouts less than HZ/10, assuming CONFIG_HZ=100
add element ip x y { 1.2.3.4 timeout 9ms)
results in an element that never expires. This happens because this
timeout results in jiffies64 == 0, hence, the timeout extension is not
allocated.
Patch #2 rejects element expiration with no timeout, this is currently
silently ignore in case no default set timeout is specified, e.g.
table ip x {
set y {
typeof ip saddr
flags timeout
elements = { 1.2.3.4 expires 30s }
}
}
Patch #3 remove unnecessary read_once notation when accessing default
set timeout while holding mutex.
Patch #4 adds read-write_once notations for lockless access to default set
timeout policy that are missing in dynset.
Patch #5 adds read-write_once notations for element expiration, again dynset
could update this while netlink dump is in progress.
Patch #6 consolidates the timeout extensions: timeout and expiration
are tightly coupled, use a single extension for both. This simplifies
set element timeout updates coming in the next patches.
Patch #7 adds a marker for elements that never update.
table ip x {
set y {
typeof ip saddr
timeout 1h
elements = { 1.2.3.4 timeout never, 1.2.3.5 }
}
}
In this case, 1.2.3.4 never expires and 1.2.3.5 gets a timeout of 1h
as per the default set timeout.
Note that it is already possible to define set elements that never
expire by declaring a set with the timeout flag set on, but with no
default set policy. In this case, no timeout extension is allocated.
table ip x {
set y {
typeof ip saddr
flags timeout
elements = { 1.2.3.4, 1.2.3.5 timeout 1h }
}
}
In this example above, 1.2.3.4 never expires [*]. The new marker prepares
for set element timeout updates, where the timeout extension needs to
be allocated. This marker also allows for elements that never expire
when default timeout policy is specified, which was not supported.
[*] Note that sets with no default timeout do not display timeout
never to retain backward compatibility in the listing.
Patch #8 allows to update set timeout/expiration.
table ip x {
set y {
typeof ip saddr
timeout 1h
elements = { 1.2.3.4, 1.2.3.5 }
}
}
which use default 1h set timeout. Then, updating timeout is possible via:
add element x y { 1.2.3.4 timeout 30s }
add element x y { 1.2.3.5 timeout 25s }
No tests/shell yet available, still working on this.
Pablo Neira Ayuso (8):
netfilter: nf_tables: elements with timeout less than HZ/10 never expire
netfilter: nf_tables: reject element expiration with no timeout
netfilter: nf_tables: remove annotation to access set timeout while holding lock
netfilter: nft_dynset: annotate data-races around set timeout
netfilter: nf_tables: annotate data-races around element expiration
netfilter: nf_tables: consolidate timeout extension for elements
netfilter: nf_tables: add never expires marker to elements
netfilter: nf_tables: set element timeout update support
include/net/netfilter/nf_tables.h | 32 +++--
include/uapi/linux/netfilter/nf_tables.h | 3 +
net/netfilter/nf_tables_api.c | 144 ++++++++++++++++-------
net/netfilter/nft_dynset.c | 21 ++--
net/netfilter/nft_last.c | 3 +-
5 files changed, 139 insertions(+), 64 deletions(-)
--
2.30.2
