From: Eric Garver <eric@garver.life>
To: Phil Sutter <phil@nwl.cc>,
Pablo Neira Ayuso <pablo@netfilter.org>,
netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>
Subject: Re: [nft PATCH 0/3] Resolve cache update woes
Date: Wed, 22 May 2019 13:29:53 -0400 [thread overview]
Message-ID: <20190522172953.mh5jylrbdig2alau@egarver.localdomain> (raw)
In-Reply-To: <20190521170614.epj4gjlhfpgmhvas@egarver.localdomain>
On Tue, May 21, 2019 at 01:06:14PM -0400, Eric Garver wrote:
> Hi Phil,
>
> On Sat, May 18, 2019 at 01:00:30AM +0200, Phil Sutter wrote:
> > This series implements a fix for situations where a cache update removes
> > local (still uncommitted) items from cache leading to spurious errors
> > afterwards.
> >
> > The series is based on Eric's "src: update cache if cmd is more
> > specific" patch which is still under review but resolves a distinct
> > problem from the one addressed in this series.
> >
> > The first patch improves Eric's patch a bit. If he's OK with my change,
> > it may very well be just folded into his.
> >
> > Phil Sutter (3):
> > src: Improve cache_needs_more() algorithm
> > libnftables: Keep list of commands in nft context
> > src: Restore local entries after cache update
> >
> > include/nftables.h | 1 +
> > src/libnftables.c | 21 +++++------
> > src/rule.c | 91 +++++++++++++++++++++++++++++++++++++++++++---
> > 3 files changed, 96 insertions(+), 17 deletions(-)
> >
> > --
> > 2.21.0
>
> I've been testing this series. I found anonymous sets are mistakenly
> free()d if a cache_release occurs.
Below is a real fix for this issue. After a cache update we need to skip adding
anonymous sets from the cmd list into the cache.
Phil, if you agree please fold this into your series.
diff --git a/src/rule.c b/src/rule.c
index 4f015fc5354b..94830b651925 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -224,6 +224,9 @@ static void cache_add_set_cmd(struct nft_ctx *nft, struct cmd *cmd)
{
struct table *table;
+ if (cmd->set->flags & NFT_SET_ANONYMOUS)
+ return;
+
table = table_lookup(&cmd->handle, &nft->cache);
if (table == NULL)
return;
prev parent reply other threads:[~2019-05-22 17:30 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-17 23:00 [nft PATCH 0/3] Resolve cache update woes Phil Sutter
2019-05-17 23:00 ` [nft PATCH 1/3] src: Improve cache_needs_more() algorithm Phil Sutter
2019-05-20 12:42 ` Eric Garver
2019-05-17 23:00 ` [nft PATCH 2/3] libnftables: Keep list of commands in nft context Phil Sutter
2019-05-17 23:00 ` [nft PATCH 3/3] src: Restore local entries after cache update Phil Sutter
2019-05-21 16:35 ` [nft PATCH 0/3] Resolve cache update woes Pablo Neira Ayuso
2019-05-21 17:06 ` Eric Garver
2019-05-22 17:29 ` Eric Garver [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190522172953.mh5jylrbdig2alau@egarver.localdomain \
--to=eric@garver.life \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).