leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
616b14b469
linux/net/netfilter
History
Florian Westphal 616b14b469 netfilter: don't rely on DYING bit to detect when destroy event was sent 
The reliable event delivery mode currently (ab)uses the DYING bit to
detect which entries on the dying list have to be skipped when
re-delivering events from the eache worker in reliable event mode.

Currently when we delete the conntrack from main table we only set this
bit if we could also deliver the netlink destroy event to userspace.

If we fail we move it to the dying list, the ecache worker will
reattempt event delivery for all confirmed conntracks on the dying list
that do not have the DYING bit set.

Once timer is gone, we can no longer use if (del_timer()) to detect
when we 'stole' the reference count owned by the timer/hash entry, so
we need some other way to avoid racing with other cpu.

Pablo suggested to add a marker in the ecache extension that skips
entries that have been unhashed from main table but are still waiting
for the last reference count to be dropped (e.g. because one skb waiting
on nfqueue verdict still holds a reference).

We do this by adding a tristate.
If we fail to deliver the destroy event, make a note of this in the
eache extension.  The worker can then skip all entries that are in
a different state.  Either they never delivered a destroy event,
e.g. because the netlink backend was not loaded, or redelivery took
place already.

Once the conntrack timer is removed we will now be able to replace
del_timer() test with test_and_set_bit(DYING, &ct->status) to avoid
racing with other cpu that tries to evict the same conntrack.

Because DYING will then be set right before we report the destroy event
we can no longer skip event reporting when dying bit is set.

Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-08-30 11:43:08 +02:00
..
ipset netfilter: ipset: fix race condition in ipset save, swap and delete 2016-03-28 17:57:45 +02:00
ipvs ipvs: use nf_ct_kill helper 2016-08-12 00:43:52 +02:00
core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-10-24 06:54:12 -07:00
Kconfig netfilter: nf_tables: add number generator expression 2016-08-22 11:42:22 +02:00
Makefile netfilter: nf_tables: add number generator expression 2016-08-22 11:42:22 +02:00
nf_conntrack_acct.c netfilter: Remove uses of seq_<foo> return values 2015-03-18 10:51:35 +01:00
nf_conntrack_amanda.c net: Remove state argument from skb_find_text() 2015-02-22 15:59:54 -05:00
nf_conntrack_broadcast.c
nf_conntrack_core.c netfilter: restart search if moved to other chain 2016-08-30 11:43:08 +02:00
nf_conntrack_ecache.c netfilter: don't rely on DYING bit to detect when destroy event was sent 2016-08-30 11:43:08 +02:00
nf_conntrack_expect.c netfilter: conntrack: use a single expectation table for all namespaces 2016-05-06 11:50:01 +02:00
nf_conntrack_extend.c netfilter: move nat hlist_head to nf_conn 2016-07-11 11:47:50 +02:00
nf_conntrack_ftp.c netfilter: fix spelling mistake: "delimitter" -> "delimiter" 2016-08-22 11:43:27 +02:00
nf_conntrack_h323_asn1.c netfilter: nf_conntrack_h323: fix off-by-one in DecodeQ931 2016-07-11 12:32:45 +02:00
nf_conntrack_h323_main.c netfilter: h323: Use mod_timer instead of set_expect_timeout 2016-07-23 11:44:05 +02:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: Add helper array register/unregister functions 2016-07-21 02:31:53 +02:00
nf_conntrack_irc.c netfilter: Add helper array register/unregister functions 2016-07-21 02:31:53 +02:00
nf_conntrack_l3proto_generic.c netfilter: Convert print_tuple functions to return void 2014-11-05 14:10:33 -05:00
nf_conntrack_labels.c netfilter: connlabels: move set helper to xt_connlabel 2016-07-22 17:05:10 +02:00
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: use_nf_conn_expires helper in more places 2016-08-12 00:43:13 +02:00
nf_conntrack_pptp.c netfilter: nf_conntrack: push zone object into functions 2015-08-11 12:29:01 +02:00
nf_conntrack_proto_dccp.c netfilter: conntrack: Only need first 4 bytes to get l4proto ports 2016-08-12 00:41:08 +02:00
nf_conntrack_proto_generic.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_proto_gre.c netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple 2015-09-18 22:00:04 +02:00
nf_conntrack_proto_sctp.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_proto_tcp.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_proto_udp.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_proto_udplite.c netfilter: conntrack: Only need first 4 bytes to get l4proto ports 2016-08-12 00:41:08 +02:00
nf_conntrack_proto.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_sane.c netfilter: Add helper array register/unregister functions 2016-07-21 02:31:53 +02:00
nf_conntrack_seqadj.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_conntrack_sip.c netfilter: Add helper array register/unregister functions 2016-07-21 02:31:53 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c netfilter: use_nf_conn_expires helper in more places 2016-08-12 00:43:13 +02:00
nf_conntrack_tftp.c netfilter: Add helper array register/unregister functions 2016-07-21 02:31:53 +02:00
nf_conntrack_timeout.c netfilter: cttimeout: add netns support 2015-12-14 12:48:58 +01:00
nf_conntrack_timestamp.c netfilter: nf_ct_timestamp: Fix BUG_ON after netns deletion 2013-12-20 14:58:29 +01:00
nf_dup_netdev.c net: remove skb_sender_cpu_clear() 2016-03-01 17:36:47 -05:00
nf_internals.h netfilter: nf_queue: fix nf_queue_nf_hook_drop() 2015-07-23 16:17:58 +02:00
nf_log_common.c netfilter: bridge: add helpers for fetching physin/outdev 2015-04-08 16:49:08 +02:00
nf_log.c netfilter: nf_log: fix error on write NONE to logger choice sysctl 2016-07-05 14:57:57 +02:00
nf_nat_amanda.c
nf_nat_core.c netfilter: nat: convert nat bysrc hash to rhashtable 2016-07-11 12:07:57 +02:00
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper 2014-01-06 14:17:17 +01:00
nf_nat_proto_common.c netfilter: use IS_ENABLED() macro 2014-06-30 11:38:03 +02:00
nf_nat_proto_dccp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_sctp.c netfilter: use IS_ENABLED() macro 2014-06-30 11:38:03 +02:00
nf_nat_proto_tcp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_udp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_udplite.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_unknown.c
nf_nat_redirect.c netfilter: nf_nat_redirect: add missing NULL pointer check 2015-10-27 06:54:56 +01:00
nf_nat_sip.c netfilter: replace strnicmp with strncasecmp 2014-10-14 02:18:24 +02:00
nf_nat_tftp.c
nf_queue.c netfilter: nf_queue: Make the queue_handler pernet 2016-05-25 11:54:22 +02:00
nf_sockopt.c netfilter: don't use mutex_lock_interruptible() 2014-08-08 16:47:23 +02:00
nf_synproxy_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2015-09-05 21:57:42 -07:00
nf_tables_api.c netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion 2016-08-26 17:30:20 +02:00
nf_tables_core.c netfilter: nf_tables: fix a wrong check to skip the inactive rules 2016-06-15 12:17:24 +02:00
nf_tables_inet.c netfilter: nf_tables: release objects on netns destruction 2015-12-28 18:34:35 +01:00
nf_tables_netdev.c netfilter: nf_tables_netdev: fix error path in module initialization 2016-01-18 13:53:37 +01:00
nf_tables_trace.c libnl: nla_put_be64(): align on a 64-bit area 2016-04-23 20:13:24 -04:00
nfnetlink_acct.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-15 13:32:48 -04:00
nfnetlink_cthelper.c netfilter: nfnetlink: pass down netns pointer to call() and call_rcu() 2015-12-28 18:41:41 +01:00
nfnetlink_cttimeout.c netfilter: cttimeout: unlink timeout obj again when hash resize happen 2016-07-11 11:39:08 +02:00
nfnetlink_log.c netfilter: xt_NFLOG: nflog-range does not truncate packets 2016-06-24 11:03:23 +02:00
nfnetlink_queue.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2016-06-01 17:54:19 -07:00
nfnetlink.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-02-23 00:09:14 -05:00
nft_bitwise.c netfilter: nf_tables: support variable sized data in nft_data_init() 2015-04-13 17:17:30 +02:00
nft_byteorder.c netfilter: nft_byteorder: avoid unneeded le/be conversion steps 2016-01-13 14:02:59 +01:00
nft_cmp.c netfilter: nf_tables: support variable sized data in nft_data_init() 2015-04-13 17:17:30 +02:00
nft_compat.c netfilter: nft_compat: fix crash when related match/target module is removed 2016-07-23 12:25:00 +02:00
nft_counter.c libnl: nla_put_be64(): align on a 64-bit area 2016-04-23 20:13:24 -04:00
nft_ct.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2016-07-24 22:02:36 -07:00
nft_dup_netdev.c netfilter: nf_tables: add packet duplication to the netdev family 2016-01-03 21:04:23 +01:00
nft_dynset.c netfilter: nf_tables: add generation mask to sets 2016-06-24 11:03:26 +02:00
nft_exthdr.c netfilter: nf_tables: switch registers to 32 bit addressing 2015-04-13 17:17:29 +02:00
nft_fwd_netdev.c netfilter: nf_tables: add forward expression to the netdev family 2016-01-04 17:48:38 +01:00
nft_hash.c netfilter: nf_tables: Use nla_put_be32() to dump immediate parameters 2016-08-26 17:30:21 +02:00
nft_immediate.c netfilter: nf_tables: support variable sized data in nft_data_init() 2015-04-13 17:17:30 +02:00
nft_limit.c libnl: nla_put_be64(): align on a 64-bit area 2016-04-23 20:13:24 -04:00
nft_log.c netfilter: nft_log: fix snaplen does not truncate packets 2016-07-21 02:32:34 +02:00
nft_lookup.c netfilter: nf_tables: get rid of possible_net_t from set and basechain 2016-07-11 12:16:04 +02:00
nft_masq.c netfilter: nft_masq: support port range 2016-03-02 20:05:27 +01:00
nft_meta.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-07-24 00:53:32 -04:00
nft_nat.c netfilter: nf_tables: switch registers to 32 bit addressing 2015-04-13 17:17:29 +02:00
nft_numgen.c netfilter: nf_tables: Use nla_put_be32() to dump immediate parameters 2016-08-26 17:30:21 +02:00
nft_payload.c netfilter: nft_payload: add packet mangling support 2015-11-25 13:54:51 +01:00
nft_queue.c netfilter: nf_tables: kill nft_pktinfo.ops 2015-09-18 21:58:01 +02:00
nft_quota.c netfilter: nf_tables: add quota expression 2016-08-22 11:42:18 +02:00
nft_redir.c netfilter: nf_tables: add register parsing/dumping helpers 2015-04-13 17:17:28 +02:00
nft_reject_inet.c ipv4: Push struct net down into nf_send_reset 2015-09-29 20:21:31 +02:00
nft_reject.c netfilter; Add some missing default cases to switch statements in nft_reject. 2015-04-27 13:20:34 -04:00
nft_set_hash.c netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion 2016-08-26 17:30:20 +02:00
nft_set_rbtree.c netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion 2016-08-26 17:30:20 +02:00
x_tables.c netfilter: x_tables: speed up jump target validation 2016-07-18 21:35:23 +02:00
xt_addrtype.c netfilter: x_tables: Use par->net instead of computing from the passed net devices 2015-09-18 21:58:25 +02:00
xt_AUDIT.c netfilter: Convert uses of __constant_<foo> to <foo> 2014-03-13 14:13:19 +01:00
xt_bpf.c net: filter: split 'struct sk_filter' into socket and bpf parts 2014-08-02 15:03:58 -07:00
xt_cgroup.c netfilter: implement xt_cgroup cgroup2 path match 2015-12-14 20:34:55 +01:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c net: use reciprocal_scale() helper 2014-08-23 12:21:21 -07:00
xt_comment.c
xt_connbytes.c netfilter: Convert pr_warning to pr_warn 2014-09-10 12:40:10 -07:00
xt_connlabel.c netfilter: connlabels: move set helper to xt_connlabel 2016-07-22 17:05:10 +02:00
xt_connlimit.c netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple 2015-09-18 22:00:04 +02:00
xt_connmark.c netfilter: Fix FSF address in file headers 2013-12-06 12:37:57 -05:00
xt_CONNSECMARK.c
xt_conntrack.c netfilter: use_nf_conn_expires helper in more places 2016-08-12 00:43:13 +02:00
xt_cpu.c
xt_CT.c netfilter: cttimeout: add netns support 2015-12-14 12:48:58 +01:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c netfilter: fix various sparse warnings 2014-11-13 12:14:42 +01:00
xt_ecn.c
xt_esp.c
xt_hashlimit.c netfilter: Remove checks of seq_printf() return values 2014-11-05 14:11:02 -05:00
xt_helper.c
xt_hl.c
xt_HL.c
xt_HMARK.c net: use reciprocal_scale() helper 2014-08-23 12:21:21 -07:00
xt_IDLETIMER.c netfilter: IDLETIMER: fix race condition when destroy the target 2016-04-29 14:28:48 +02:00
xt_ipcomp.c netfilter: xt_ipcomp: Use ntohs to ease sparse warning 2014-02-19 11:41:25 +01:00
xt_iprange.c
xt_ipvs.c ipvs: Pass ipvs into conn_out_get 2015-09-24 09:34:41 +09:00
xt_l2tp.c netfilter: introduce l2tp match extension 2014-01-09 21:36:39 +01:00
xt_LED.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-08-05 18:46:26 -07:00
xt_length.c
xt_limit.c
xt_LOG.c netfilter: x_tables: Use par->net instead of computing from the passed net devices 2015-09-18 21:58:25 +02:00
xt_mac.c
xt_mark.c netfilter: xt_MARK: Add ARP support 2015-05-14 13:00:27 +02:00
xt_multiport.c
xt_nat.c
xt_NETMAP.c
xt_nfacct.c netfilter: nfacct: per network namespace support 2015-08-07 11:50:56 +02:00
xt_NFLOG.c netfilter: xt_NFLOG: nflog-range does not truncate packets 2016-06-24 11:03:23 +02:00
xt_NFQUEUE.c netfilter: xt_NFQUEUE: separate reusable code 2013-12-07 23:20:45 +01:00
xt_osf.c netfilter: xt_osf: remove unused variable 2016-02-29 13:59:43 +01:00
xt_owner.c netfilter: Allow xt_owner in any user namespace 2016-06-23 13:58:55 +02:00
xt_physdev.c netfilter: physdev: add missed blank 2016-08-12 00:42:14 +02:00
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c
xt_RATEEST.c net: sched: do not acquire qdisc spinlock in qdisc/class stats dump 2016-06-07 16:37:14 -07:00
xt_realm.c
xt_recent.c netfilter: x_tables: Use par->net instead of computing from the passed net devices 2015-09-18 21:58:25 +02:00
xt_REDIRECT.c netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module 2014-11-27 13:08:42 +01:00
xt_repldata.h net: netfilter: LLVMLinux: vlais-netfilter 2014-06-07 11:44:39 -07:00
xt_sctp.c
xt_SECMARK.c
xt_set.c netfilter: ipset: Fix coding styles reported by checkpatch.pl 2015-06-14 10:40:18 +02:00
xt_socket.c tcp/dccp: do not touch listener sk_refcnt under synflood 2016-04-04 22:11:20 -04:00
xt_state.c
xt_statistic.c net: replace macros net_random and net_srandom with direct calls to prandom 2014-01-14 15:15:25 -08:00
xt_string.c net: Remove state argument from skb_find_text() 2015-02-22 15:59:54 -05:00
xt_tcpmss.c
xt_TCPMSS.c netfilter: xt_TCPMSS: handle CHECKSUM_COMPLETE in tcpmss_tg6() 2016-01-18 12:18:17 +01:00
xt_TCPOPTSTRIP.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
xt_tcpudp.c netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF 2016-07-03 10:55:07 +02:00
xt_TEE.c netfilter: tee: select NF_DUP_IPV6 unconditionally 2016-02-08 12:58:28 +01:00
xt_time.c
xt_TPROXY.c inet: refactor inet[6]_lookup functions to take skb 2016-02-11 03:54:14 -05:00
xt_TRACE.c netfilter: xt_TRACE: add explicitly nf_logger_find_get call 2016-06-23 13:26:49 +02:00
xt_u32.c