1. 29 Mar, 2015 24 commits
  2. 27 Mar, 2015 12 commits
  3. 26 Mar, 2015 4 commits
    • Patrick McHardy's avatar
      netfilter: nf_tables: implement set transaction support · cc02e457
      Patrick McHardy authored
      Set elements are the last object type not supporting transaction support.
      Implement similar to the existing rule transactions:
      
      The global transaction counter keeps track of two generations, current
      and next. Each element contains a bitmask specifying in which generations
      it is inactive.
      
      New elements start out as inactive in the current generation and active
      in the next. On commit, the previous next generation becomes the current
      generation and the element becomes active. The bitmask is then cleared
      to indicate that the element is active in all future generations. If the
      transaction is aborted, the element is removed from the set before it
      becomes active.
      
      When removing an element, it gets marked as inactive in the next generation.
      On commit the next generation becomes active and the therefor the element
      inactive. It is then taken out of then set and released. On abort, the
      element is marked as active for the next generation again.
      
      Lookups ignore elements not active in the current generation.
      
      The current set types (hash/rbtree) both use a field in the extension area
      to store the generation mask. This (currently) does not require any
      additional memory since we have some free space in there.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      cc02e457
    • Patrick McHardy's avatar
      netfilter: nf_tables: add transaction helper functions · ea4bd995
      Patrick McHardy authored
      Add some helper functions for building the genmask as preparation for
      set transactions.
      
      Also add a little documentation how this stuff actually works.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ea4bd995
    • Patrick McHardy's avatar
      netfilter: nf_tables: return set extensions from ->lookup() · b2832dd6
      Patrick McHardy authored
      Return the extension area from the ->lookup() function to allow to
      consolidate common actions.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b2832dd6
    • Patrick McHardy's avatar
      netfilter: nf_tables: consolide set element destruction · 61edafbb
      Patrick McHardy authored
      With the conversion to set extensions, it is now possible to consolidate
      the different set element destruction functions.
      
      The set implementations' ->remove() functions are changed to only take
      the element out of their internal data structures. Elements will be freed
      in a batched fashion after the global transaction's completion RCU grace
      period.
      
      This reduces the amount of grace periods required for nft_hash from N
      to zero additional ones, additionally this guarantees that the set
      elements' extensions of all implementations can be used under RCU
      protection.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      61edafbb