netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH nf] netfilter: nf_tables: return immediately on empty commit
@ 2019-03-07 22:20 Florian Westphal
  2019-03-11 13:13 ` Pablo Neira Ayuso
  2019-03-11 19:03 ` Pablo Neira Ayuso
  0 siblings, 2 replies; 4+ messages in thread
From: Florian Westphal @ 2019-03-07 22:20 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

When running 'nft flush ruleset' while no rules exist, we will increment
the generation counter and announce a new genid to userspace, yet
nothing had changed in the first place.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_tables_api.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index dcd9cb68d826..1904e081853c 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6536,6 +6536,11 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
 	struct nft_chain *chain;
 	struct nft_table *table;
 
+	if (list_empty(&net->nft.commit_list)) {
+		mutex_unlock(&net->nft.commit_mutex);
+		return 0;
+	}
+
 	/* 0. Validate ruleset, otherwise roll back for error reporting. */
 	if (nf_tables_validate(net) < 0)
 		return -EAGAIN;
-- 
2.19.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH nf] netfilter: nf_tables: return immediately on empty commit
  2019-03-07 22:20 [PATCH nf] netfilter: nf_tables: return immediately on empty commit Florian Westphal
@ 2019-03-11 13:13 ` Pablo Neira Ayuso
  2019-03-11 13:45   ` Florian Westphal
  2019-03-11 19:03 ` Pablo Neira Ayuso
  1 sibling, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-03-11 13:13 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

Hi Florian,

On Thu, Mar 07, 2019 at 11:20:11PM +0100, Florian Westphal wrote:
> When running 'nft flush ruleset' while no rules exist, we will increment
> the generation counter and announce a new genid to userspace, yet
> nothing had changed in the first place.
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  net/netfilter/nf_tables_api.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index dcd9cb68d826..1904e081853c 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -6536,6 +6536,11 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
>  	struct nft_chain *chain;
>  	struct nft_table *table;
>  
> +	if (list_empty(&net->nft.commit_list)) {
> +		mutex_unlock(&net->nft.commit_mutex);
> +		return 0;
> +	}

This looks good to catch this case.

I think we should probably address these too:

term1# nft add table x
term1# nft add table x

term2# nft monitor
add table ip x
# new generation 1587 by process 14422 (nft)
# new generation 1588 by process 14423 (nft)

So re-insertion of existing objects should not trigger unnecessary
generation counter bump. We can probably count the number of events
that have been sent from the commit path before we bump it.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH nf] netfilter: nf_tables: return immediately on empty commit
  2019-03-11 13:13 ` Pablo Neira Ayuso
@ 2019-03-11 13:45   ` Florian Westphal
  0 siblings, 0 replies; 4+ messages in thread
From: Florian Westphal @ 2019-03-11 13:45 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter-devel

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> term1# nft add table x
> term1# nft add table x
> 
> term2# nft monitor
> add table ip x
> # new generation 1587 by process 14422 (nft)
> # new generation 1588 by process 14423 (nft)
> 
> So re-insertion of existing objects should not trigger unnecessary
> generation counter bump. We can probably count the number of events
> that have been sent from the commit path before we bump it.

Thats strange.  Why does the second add result in the creation
of a transaction object in the first place?

2nd add should result in a call to "upd_table", and it should
find that no attributes are being changed, and no transaction
object should be created, i.e. the commit should end up with
empty transaction list.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH nf] netfilter: nf_tables: return immediately on empty commit
  2019-03-07 22:20 [PATCH nf] netfilter: nf_tables: return immediately on empty commit Florian Westphal
  2019-03-11 13:13 ` Pablo Neira Ayuso
@ 2019-03-11 19:03 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-03-11 19:03 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Thu, Mar 07, 2019 at 11:20:11PM +0100, Florian Westphal wrote:
> When running 'nft flush ruleset' while no rules exist, we will increment
> the generation counter and announce a new genid to userspace, yet
> nothing had changed in the first place.

Applied, thanks Florian.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-03-11 19:04 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-07 22:20 [PATCH nf] netfilter: nf_tables: return immediately on empty commit Florian Westphal
2019-03-11 13:13 ` Pablo Neira Ayuso
2019-03-11 13:45   ` Florian Westphal
2019-03-11 19:03 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).