Re: [PATCH iptables 1/4] xtables: Do not register matches/targets with incompatible revision

Re: [PATCH iptables 1/4] xtables: Do not register matches/targets with incompatible revision

[Phil Sutter]

Hi Serhey,

On Wed, Mar 07, 2018 at 11:10:40AM +0200, Serhey Popovych wrote:
> If kernel tells revision isn't found/supported at the moment we should
> keep entity in pending list, not register or bail to do so later.

This causes a problem in particular with conntrack match (but others may
be affected as well): If the kernel doesn't support an older revision of
the match, it stays in pending list and is retried for each new rule
using the match.

> Kernel might still load module for entity we asking it for and this
> could be slow on some embedded devices.

Is this a speculative problem or did you see it in reality? I'm
wondering because kernel uses try_then_request_module() to load the
missing extension which calls __request_module() with 'wait' parameter
set to true. So unless the called usermode helper is behaving unexpected
(e.g. fork and load in background), the call to
compatible_match_revision() should block until the module has been
loaded, no?

> Catch double registration attempts by checking me->next being non-NULL
> in xtables_register_match() and xtables_register_target().

Is this a side-effect of the above or an independent fix?

Cheers, Phil