linux/include/net/netfilter
Pablo Neira Ayuso 0165d9325d netfilter: nf_tables: fix racy rule deletion
We may lost race if we flush the rule-set (which happens asynchronously
via call_rcu) and we try to remove the table (that userspace assumes
to be empty).

Fix this by recovering synchronous rule and chain deletion. This was
introduced time ago before we had no batch support, and synchronous
rule deletion performance was not good. Now that we have the batch
support, we can just postpone the purge of old rule in a second step
in the commit phase. All object deletions are synchronous after this
patch.

As a side effect, we save memory as we don't need rcu_head per rule
anymore.

Cc: Patrick McHardy <kaber@trash.net>
Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2014-02-06 11:46:06 +01:00
..
ipv4 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables 2014-01-06 13:29:30 -05:00
ipv6 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables 2014-01-06 13:29:30 -05:00
nf_conntrack.h netfilter: nf_conntrack: don't release a conntrack with non-zero refcnt 2014-02-05 17:46:06 +01:00
nf_conntrack_acct.h netfilter: introduce nf_conn_acct structure 2013-11-03 21:48:49 +01:00
nf_conntrack_core.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_ecache.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_expect.h netfilter: rename netlink related "pid" variables to "portid" 2013-04-19 14:58:36 -04:00
nf_conntrack_extend.h netfilter: introduce nf_conn_acct structure 2013-11-03 21:48:49 +01:00
nf_conntrack_helper.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_l3proto.h netfilter: nf_conntrack: remove dead code 2014-01-03 23:41:37 +01:00
nf_conntrack_l4proto.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_labels.h netfilter: nf_ct_labels: move initialization out of pernet_operations 2013-01-23 12:56:23 +01:00
nf_conntrack_seqadj.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_synproxy.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-10-01 17:06:14 -04:00
nf_conntrack_timeout.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_timestamp.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_tuple.h netfilter: nf_nat: export NAT definitions to userspace 2011-12-23 14:36:43 +01:00
nf_conntrack_zones.h netfilter: nf_defrag_ipv4: fix compilation error with NF_CONNTRACK=n 2010-02-18 19:04:44 +01:00
nf_log.h netfilter: log: netns NULL ptr bug when calling from conntrack 2013-05-15 14:11:07 +02:00
nf_nat.h netfilter: nf_nat: move alloc_null_binding to nf_nat_core.c 2013-10-14 11:29:39 +02:00
nf_nat_core.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_nat_helper.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_nat_l3proto.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_nat_l4proto.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_queue.h netfilter: xt_NFQUEUE: separate reusable code 2013-12-07 23:20:45 +01:00
nf_tables.h netfilter: nf_tables: fix racy rule deletion 2014-02-06 11:46:06 +01:00
nf_tables_core.h nf_tables*.h: Remove extern from function prototypes 2013-10-21 17:19:06 -04:00
nf_tables_ipv4.h netfilter: nft_meta: add l4proto support 2014-01-07 23:57:31 +01:00
nf_tables_ipv6.h netfilter: nft_meta: add l4proto support 2014-01-07 23:57:31 +01:00
nfnetlink_log.h netfilter: log: netns NULL ptr bug when calling from conntrack 2013-05-15 14:11:07 +02:00
nfnetlink_queue.h netfilter: nfnetlink_queue: allow to attach expectations to conntracks 2013-08-13 16:32:10 +02:00
nft_reject.h netfilter: nf_tables: add reject module for NFPROTO_INET 2014-02-06 09:44:18 +01:00
xt_log.h netfilter: xt_LOG: don't use xchg() for simple assignment 2012-03-26 14:00:28 +02:00
xt_rateest.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00