[PATCH nf] netfilter: nf_tables: disable preemption in nft_update_chain_stats()

2018-05-27 Thread Pablo Neira Ayuso
This patch fixes the following splat. [118709.054937] BUG: using smp_processor_id() in preemptible [] code: test/1571 [118709.054970] caller is nft_update_chain_stats.isra.4+0x53/0x97 [nf_tables] [118709.054980] CPU: 2 PID: 1571 Comm: test Not tainted 4.17.0-rc6+ #335 [...]

[PATCH] iptables-compat: homogenize error message

2018-05-27 Thread Arushi Singhal
There is a difference between error messages in iptables and iptables-compat: #sudo iptables-compat -D INPUT 4 iptables: No chain/target/match by that name. #sudo iptables -D INPUT 4 iptables: Index of deletion too big. Now, will show same error message. Signed-off-by: Arushi Singhal

[PATCH nf-next 8/8] netfilter: nf_tables: nf_tables_getrule: use call_rcu

2018-05-27 Thread Florian Westphal
Signed-off-by: Florian Westphal --- net/netfilter/nf_tables_api.c | 16 +--- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 528766cfd0a0..ab306e169d36 100644 ---

[PATCH nf-next 7/8] netfilter: nf_tables: nf_tables_getflowtable: use call_rcu

2018-05-27 Thread Florian Westphal
Signed-off-by: Florian Westphal --- net/netfilter/nf_tables_api.c | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 9454c7fc1978..528766cfd0a0 100644 ---

[PATCH nf-next 5/8] netfilter: nf_tables: nf_tables_getsetelem: use call_rcu

2018-05-27 Thread Florian Westphal
Signed-off-by: Florian Westphal --- net/netfilter/nf_tables_api.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 879807f6015b..d0cfce2fb72b 100644 ---

[PATCH nf-next 6/8] netfilter: nf_tables: nf_tables_getobj: use call_rcu

2018-05-27 Thread Florian Westphal
Signed-off-by: Florian Westphal --- net/netfilter/nf_tables_api.c | 16 +--- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index d0cfce2fb72b..9454c7fc1978 100644 ---

[PATCH nf-next 2/8] netfilter: nf_tables: nf_tables_gettable: use call_rcu

2018-05-27 Thread Florian Westphal
We can make all dumps and lookups lockless. Dumps currently only hold the nfnl mutex on the dump request itself. Dumps can span multiple syscalls, dump continuation doesn't acquire the nfnl mutex anywhere, i.e. the dump callbacks in nf_tables already use rcu and never rely on nfnl mutex being

[PATCH nf-next 1/8] netfilter: nf_tables: nf_tables_getgen: use call_rcu

2018-05-27 Thread Florian Westphal
This callback just fetches the current base sequence, there is no need to serialize this with nfnl nft mutex. Signed-off-by: Florian Westphal --- net/netfilter/nf_tables_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c

[PATCH nf-next 0/8] netfilter: nf_tables: make get and dump operations lockless

2018-05-27 Thread Florian Westphal
This series converts all get/dump requests to .call_rcu. This allows listing rulesets, sets, etc. even if another entity is performaning an update. In the dump case, only the dump request was locked via nfnl mutex, i.e. the dump callbacks in nf_tables already use rcu read locks everywhere. So

[PATCH nf-next 4/8] netfilter: nf_tables: nf_tables_getset: use call_rcu

2018-05-27 Thread Florian Westphal
Signed-off-by: Florian Westphal --- net/netfilter/nf_tables_api.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index e87faf5ea10c..879807f6015b 100644 ---

[PATCH nf-next 3/8] netfilter: nf_tables: nf_tables_getchain: use call_rcu

2018-05-27 Thread Florian Westphal
Same rationale as preceeding commit. This and all other remaining patches in the series apply the same scheme to all dump requests: - use the nft_netlink_dump_start_rcu helper added in first patch - use GFP_ATOMIC and rcu list iteration - switch to .call_rcu ... thus making all dumps in

[PATCH nf-next] netfilter: nf_tables: fail batch if fatal signal is pending

2018-05-27 Thread Florian Westphal
abort batch processing and return so task can exit faster. Otherwise even SIGKILL has no immediate effect. Signed-off-by: Florian Westphal --- net/netfilter/nfnetlink.c | 8 1 file changed, 8 insertions(+) diff --git a/net/netfilter/nfnetlink.c

[PATCH nf-next] netfilter: nf_tables: fix endian mismatch in return type

2018-05-27 Thread Florian Westphal
harmless, but it avoids sparse warnings: nf_tables_api.c:2813:16: warning: incorrect type in return expression (different base types) nf_tables_api.c:2863:47: warning: incorrect type in argument 3 (different base types) nf_tables_api.c:3524:47: warning: incorrect type in argument 3 (different

[PATCH nf-next] netfilter: nft_compat: use call_rcu for nfnl_compat_get

2018-05-27 Thread Florian Westphal
Just use .call_rcu instead. We can drop the rcu read lock after obtaining a reference and re-acquire on return. Signed-off-by: Florian Westphal --- net/netfilter/nft_compat.c | 29 ++--- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git