diff options
author | Pablo Neira Ayuso | 2018-02-01 18:49:00 +0100 |
---|---|---|
committer | Pablo Neira Ayuso | 2018-02-02 18:26:42 +0100 |
commit | c7f0030b5b67866c588845abde7bf011de25b98a (patch) | |
tree | 88aa5bcfc07581b764d8db201d356a541c92ead3 /net/netfilter/nf_tables_api.c | |
parent | netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1() (diff) | |
download | kernel-qcow2-linux-c7f0030b5b67866c588845abde7bf011de25b98a.tar.gz kernel-qcow2-linux-c7f0030b5b67866c588845abde7bf011de25b98a.tar.xz kernel-qcow2-linux-c7f0030b5b67866c588845abde7bf011de25b98a.zip |
netfilter: nft_flow_offload: wait for garbage collector to run after cleanup
If netdevice goes down, then flowtable entries are scheduled to be
removed. Wait for garbage collector to have a chance to run so it can
delete them from the hashtable.
The flush call might sleep, so hold the nfnl mutex from
nft_flow_table_iterate() instead of rcu read side lock. The use of the
nfnl mutex is also implicitly fixing races between updates via nfnetlink
and netdevice event.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nf_tables_api.c')
-rw-r--r-- | net/netfilter/nf_tables_api.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 0791813a1e7d..07dd1fac78a8 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -5006,13 +5006,13 @@ void nft_flow_table_iterate(struct net *net, struct nft_flowtable *flowtable; const struct nft_table *table; - rcu_read_lock(); - list_for_each_entry_rcu(table, &net->nft.tables, list) { - list_for_each_entry_rcu(flowtable, &table->flowtables, list) { + nfnl_lock(NFNL_SUBSYS_NFTABLES); + list_for_each_entry(table, &net->nft.tables, list) { + list_for_each_entry(flowtable, &table->flowtables, list) { iter(&flowtable->data, data); } } - rcu_read_unlock(); + nfnl_unlock(NFNL_SUBSYS_NFTABLES); } EXPORT_SYMBOL_GPL(nft_flow_table_iterate); |