netfilter: nf_tables: reset table validation state on abort

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If a transaction fails the final validation in the commit hook, the table
validation state is changed to NFT_VALIDATE_DO and a replay of the batch is
performed. Every rule insert will then do a graph validation.

This is much slower, but provides better error reporting to the user
because we can point at the rule that introduces the validation issue.

Without this reset the affected table(s) remain in full validation mode,
i.e. on next transaction we start with slow-mode.

This makes the next transaction after a failed incremental update very slow:

# time iptables-restore < /tmp/ruleset
real 0m0.496s [..]
# time iptables -A CALLEE -j CALLER
iptables v1.8.11 (nf_tables): RULE_APPEND failed (Too many links): rule in chain CALLEE
real 0m0.022s [..]
# time iptables-restore < /tmp/ruleset
real 1m22.355s [..]

After this patch, 2nd iptables-restore is back to ~0.5s.

Fixes: 9a32e9850686 ("netfilter: nf_tables: don't write table validation state without mutex")
Signed-off-by: Florian Westphal <fw@strlen.de>

Florian Westphal 4 months ago 6f93616a 77b9c4a4

1 changed file

expand all

net

netfilter

nf_tables_api.c

net/netfilter/nf_tables_api.c

··· 11536 11536 ret = __nf_tables_abort(net, action); 11537 11537 nft_gc_seq_end(nft_net, gc_seq); 11538 11538 11539 + if (action == NFNL_ABORT_NONE) { 11540 + struct nft_table *table; 11541 + 11542 + list_for_each_entry(table, &nft_net->tables, list) 11543 + table->validate_state = NFT_VALIDATE_SKIP; 11544 + } 11545 + 11539 11546 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 11540 11547 11541 11548 /* module autoload needs to happen after GC sequence update because it

Configure Feed

Configure Feed