diff mbox series

[net,1/7] netfilter: nf_tables: do not remove elements if set backend implements .abort

Message ID 20231012085724.15155-2-fw@strlen.de (mailing list archive)
State Accepted
Commit ebd032fa881882fef2acb9da1bbde48d8233241d
Delegated to: Netdev Maintainers
Headers show
Series [net,1/7] netfilter: nf_tables: do not remove elements if set backend implements .abort | expand

Checks

Context Check Description
netdev/series_format success Pull request is its own cover letter
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1379 this patch: 1379
netdev/cc_maintainers warning 2 maintainers not CCed: kadlec@netfilter.org coreteam@netfilter.org
netdev/build_clang success Errors and warnings before: 1387 this patch: 1387
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1403 this patch: 1403
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Florian Westphal Oct. 12, 2023, 8:57 a.m. UTC 
From: Pablo Neira Ayuso <pablo@netfilter.org>

pipapo set backend maintains two copies of the datastructure, removing
the elements from the copy that is going to be discarded slows down
the abort path significantly, from several minutes to few seconds after
this patch.

Fixes: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_tables_api.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

patchwork-bot+netdevbpf@kernel.org Oct. 14, 2023, 1 a.m. UTC | #1 
Hello:

This series was applied to netdev/net.git (main)
by Florian Westphal <fw@strlen.de>:

On Thu, 12 Oct 2023 10:57:04 +0200 you wrote:
> From: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> pipapo set backend maintains two copies of the datastructure, removing
> the elements from the copy that is going to be discarded slows down
> the abort path significantly, from several minutes to few seconds after
> this patch.
> 
> [...]

Here is the summary with links:
  - [net,1/7] netfilter: nf_tables: do not remove elements if set backend implements .abort
    https://git.kernel.org/netdev/net/c/ebd032fa8818
  - [net,2/7] netfilter: nfnetlink_log: silence bogus compiler warning
    https://git.kernel.org/netdev/net/c/2e1d17541097
  - [net,3/7] netfilter: nf_tables: Annotate struct nft_pipapo_match with __counted_by
    https://git.kernel.org/netdev/net/c/d51c42cdef5f
  - [net,4/7] netfilter: nf_tables: do not refresh timeout when resetting element
    https://git.kernel.org/netdev/net/c/4c90bba60c26
  - [net,5/7] nf_tables: fix NULL pointer dereference in nft_inner_init()
    https://git.kernel.org/netdev/net/c/52177bbf19e6
  - [net,6/7] nf_tables: fix NULL pointer dereference in nft_expr_inner_parse()
    https://git.kernel.org/netdev/net/c/505ce0630ad5
  - [net,7/7] netfilter: nft_payload: fix wrong mac header matching
    https://git.kernel.org/netdev/net/c/d351c1ea2de3

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a72b6aeefb1b..c3de3791cabd 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10347,7 +10347,10 @@  static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
 				break;
 			}
 			te = (struct nft_trans_elem *)trans->data;
-			nft_setelem_remove(net, te->set, &te->elem);
+			if (!te->set->ops->abort ||
+			    nft_setelem_is_catchall(te->set, &te->elem))
+				nft_setelem_remove(net, te->set, &te->elem);
+
 			if (!nft_setelem_is_catchall(te->set, &te->elem))
 				atomic_dec(&te->set->nelems);