On Mon, Jul 15, 2024 at 04:15:56PM +0200, Pablo Neira Ayuso wrote:
> pipapo set backend maintains two copies of the datastructure, removing
> the elements from the copy that is going to be discarded slows down
> the abort path significantly, from several minutes to few seconds after
> this patch.
>
> This patch was previously reverted by
>
> f86fb94011ae ("netfilter: nf_tables: revert do not remove elements if set backend implements .abort")
>
> but it is now possible since recent work by Florian Westphal to perform
> on-demand clone from insert/remove path:
>
> 532aec7e878b ("netfilter: nft_set_pipapo: remove dirty flag")
> 3f1d886cc7c3 ("netfilter: nft_set_pipapo: move cloning of match info to insert/removal path")
> a238106703ab ("netfilter: nft_set_pipapo: prepare pipapo_get helper for on-demand clone")
> c5444786d0ea ("netfilter: nft_set_pipapo: merge deactivate helper into caller")
> 6c108d9bee44 ("netfilter: nft_set_pipapo: prepare walk function for on-demand clone")
> 8b8a2417558c ("netfilter: nft_set_pipapo: prepare destroy function for on-demand clone")
> 80efd2997fb9 ("netfilter: nft_set_pipapo: make pipapo_clone helper return NULL")
> a590f4760922 ("netfilter: nft_set_pipapo: move prove_locking helper around")
>
> after this series, the clone is fully released once aborted, no need to
> take it back to previous state. Thus, no stale reference to elements can
> occur.
I have now rescued this patch and place it in nf-next.
