* Re: [PATCH iptables 1/4] xtables: Do not register matches/targets with incompatible revision
[not found] ` <1520413843-24456-2-git-send-email-serhe.popovych@gmail.com>
@ 2020-09-18 14:13 ` Phil Sutter
0 siblings, 0 replies; only message in thread
From: Phil Sutter @ 2020-09-18 14:13 UTC (permalink / raw)
To: Serhey Popovych; +Cc: netfilter-devel, willem.j.debruijn
Hi Serhey,
On Wed, Mar 07, 2018 at 11:10:40AM +0200, Serhey Popovych wrote:
> If kernel tells revision isn't found/supported at the moment we should
> keep entity in pending list, not register or bail to do so later.
This causes a problem in particular with conntrack match (but others may
be affected as well): If the kernel doesn't support an older revision of
the match, it stays in pending list and is retried for each new rule
using the match.
> Kernel might still load module for entity we asking it for and this
> could be slow on some embedded devices.
Is this a speculative problem or did you see it in reality? I'm
wondering because kernel uses try_then_request_module() to load the
missing extension which calls __request_module() with 'wait' parameter
set to true. So unless the called usermode helper is behaving unexpected
(e.g. fork and load in background), the call to
compatible_match_revision() should block until the module has been
loaded, no?
> Catch double registration attempts by checking me->next being non-NULL
> in xtables_register_match() and xtables_register_target().
Is this a side-effect of the above or an independent fix?
Cheers, Phil
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-09-18 14:13 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1520413843-24456-1-git-send-email-serhe.popovych@gmail.com>
[not found] ` <1520413843-24456-2-git-send-email-serhe.popovych@gmail.com>
2020-09-18 14:13 ` [PATCH iptables 1/4] xtables: Do not register matches/targets with incompatible revision Phil Sutter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).