netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Eric Garver <eric@garver.life>
To: Phil Sutter <phil@nwl.cc>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>
Subject: Re: [nft PATCH 0/3] Resolve cache update woes
Date: Wed, 22 May 2019 13:29:53 -0400	[thread overview]
Message-ID: <20190522172953.mh5jylrbdig2alau@egarver.localdomain> (raw)
In-Reply-To: <20190521170614.epj4gjlhfpgmhvas@egarver.localdomain>

On Tue, May 21, 2019 at 01:06:14PM -0400, Eric Garver wrote:
> Hi Phil,
> 
> On Sat, May 18, 2019 at 01:00:30AM +0200, Phil Sutter wrote:
> > This series implements a fix for situations where a cache update removes
> > local (still uncommitted) items from cache leading to spurious errors
> > afterwards.
> >
> > The series is based on Eric's "src: update cache if cmd is more
> > specific" patch which is still under review but resolves a distinct
> > problem from the one addressed in this series.
> >
> > The first patch improves Eric's patch a bit. If he's OK with my change,
> > it may very well be just folded into his.
> >
> > Phil Sutter (3):
> >   src: Improve cache_needs_more() algorithm
> >   libnftables: Keep list of commands in nft context
> >   src: Restore local entries after cache update
> >
> >  include/nftables.h |  1 +
> >  src/libnftables.c  | 21 +++++------
> >  src/rule.c         | 91 +++++++++++++++++++++++++++++++++++++++++++---
> >  3 files changed, 96 insertions(+), 17 deletions(-)
> >
> > --
> > 2.21.0
> 
> I've been testing this series. I found anonymous sets are mistakenly
> free()d if a cache_release occurs.

Below is a real fix for this issue. After a cache update we need to skip adding
anonymous sets from the cmd list into the cache.

Phil, if you agree please fold this into your series.

diff --git a/src/rule.c b/src/rule.c
index 4f015fc5354b..94830b651925 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -224,6 +224,9 @@ static void cache_add_set_cmd(struct nft_ctx *nft, struct cmd *cmd)
 {
        struct table *table;
 
+       if (cmd->set->flags & NFT_SET_ANONYMOUS)
+               return;
+
        table = table_lookup(&cmd->handle, &nft->cache);
        if (table == NULL)
                return;

      reply	other threads:[~2019-05-22 17:30 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-17 23:00 [nft PATCH 0/3] Resolve cache update woes Phil Sutter
2019-05-17 23:00 ` [nft PATCH 1/3] src: Improve cache_needs_more() algorithm Phil Sutter
2019-05-20 12:42   ` Eric Garver
2019-05-17 23:00 ` [nft PATCH 2/3] libnftables: Keep list of commands in nft context Phil Sutter
2019-05-17 23:00 ` [nft PATCH 3/3] src: Restore local entries after cache update Phil Sutter
2019-05-21 16:35 ` [nft PATCH 0/3] Resolve cache update woes Pablo Neira Ayuso
2019-05-21 17:06 ` Eric Garver
2019-05-22 17:29   ` Eric Garver [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190522172953.mh5jylrbdig2alau@egarver.localdomain \
    --to=eric@garver.life \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=phil@nwl.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).