From: Florian Westphal <fw@strlen.de>
To: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, Dan Williams <dcbw@redhat.com>
Subject: Re: [PATCH v3 nf-next 1/2] netfilter: x_tables: wait until old table isn't used anymore
Date: Wed, 11 Oct 2017 20:18:03 +0200 [thread overview]
Message-ID: <20171011181803.GC26835@breakpoint.cc> (raw)
In-Reply-To: <CANn89iJ9r9Y1JeTzEFnyko8-h_hhdWGLw+nDLJVcMuvTm6HB0w@mail.gmail.com>
Eric Dumazet <edumazet@google.com> wrote:
> On Wed, Oct 11, 2017 at 10:48 AM, Florian Westphal <fw@strlen.de> wrote:
> > Eric Dumazet <edumazet@google.com> wrote:
> >> On Wed, Oct 11, 2017 at 7:26 AM, Florian Westphal <fw@strlen.de> wrote:
> >> > xt_replace_table relies on table replacement counter retrieval (which
> >> > uses xt_recseq to synchronize pcpu counters).
> >> >
> >> > This is fine, however with large rule set get_counters() can take
> >> > a very long time -- it needs to synchronize all counters because
> >> > it has to assume concurrent modifications can occur.
> >> >
> >> > Make xt_replace_table synchronize by itself by waiting until all cpus
> >> > had an even seqcount.
> >> >
> >> > This allows a followup patch to copy the counters of the old ruleset
> >> > without any synchonization after xt_replace_table has completed.
> >> >
> >> > Cc: Dan Williams <dcbw@redhat.com>
> >> > Cc: Eric Dumazet <edumazet@google.com>
> >> > Signed-off-by: Florian Westphal <fw@strlen.de>
> >> > ---
> >> > v3: check for 'seq is uneven' OR 'has changed' since
> >> > last check. Its fine if seq is uneven iff its a different
> >> > sequence number than the initial one.
> >> >
> >> > v2: fix Erics email address
> >> > net/netfilter/x_tables.c | 18 +++++++++++++++---
> >> > 1 file changed, 15 insertions(+), 3 deletions(-)
> >> >
> >> >
> >>
> >> Reviewed-by: Eric Dumazet <edumazet@google.com>
> >>
> >> But it seems we need an extra smp_wmb() after
> >>
> >> smp_wmb();
> >> table->private = newinfo;
> >> + smp_wmb();
> >>
> >> Otherwise we have no guarantee other cpus actually see the new ->private value.
> >
> > Seems to be unrelated to this change, so I will submit
> > a separate patch for nf.git that adds this.
>
> This is related to this change, please read the comment before the
> local_bh_enable9)
>
> /*
> * Even though table entries have now been swapped, other CPU's
> * may still be using the old entries. This is okay, because
> * resynchronization happens because of the locking done
> * during the get_counters() routine.
> */
Hmm, but get_counters() does not issue a wmb, and the 'new' code added
here essentially is the same as get_counters(), except that we only
read seqcount until we saw a change (and not for each counter in
the rule set).
What am I missing?
next prev parent reply other threads:[~2017-10-11 18:18 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-11 14:26 [PATCH v3 nf-next 0/2] netfilter: x_tables: speed up iptables-restore Florian Westphal
2017-10-11 14:26 ` [PATCH v3 nf-next 1/2] netfilter: x_tables: wait until old table isn't used anymore Florian Westphal
2017-10-11 15:09 ` Eric Dumazet
2017-10-11 17:48 ` Florian Westphal
2017-10-11 17:57 ` Eric Dumazet
2017-10-11 18:18 ` Florian Westphal [this message]
2017-10-11 18:23 ` Eric Dumazet
2017-10-11 14:26 ` [PATCH v3 nf-next 2/2] netfilter: x_tables: don't use seqlock when fetching old counters Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171011181803.GC26835@breakpoint.cc \
--to=fw@strlen.de \
--cc=dcbw@redhat.com \
--cc=edumazet@google.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.