290-v4.16-netfilter-core-make-nf_unregister_net_hooks-simple-w.patch

   1 From 4e645b47c4f000a503b9c90163ad905786b9bc1d Mon Sep 17 00:00:00 2001
   2 From: Florian Westphal <fw@strlen.de>
   3 Date: Fri, 1 Dec 2017 00:21:02 +0100
   4 Subject: [PATCH 02/11] netfilter: core: make nf_unregister_net_hooks simple
   5  wrapper again
   6
   7 This reverts commit d3ad2c17b4047
   8 ("netfilter: core: batch nf_unregister_net_hooks synchronize_net calls").
   9
  10 Nothing wrong with it.  However, followup patch will delay freeing of hooks
  11 with call_rcu, so all synchronize_net() calls become obsolete and there
  12 is no need anymore for this batching.
  13
  14 This revert causes a temporary performance degradation when destroying
  15 network namespace, but its resolved with the upcoming call_rcu conversion.
  16
  17 Signed-off-by: Florian Westphal <fw@strlen.de>
  18 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  19 ---
  20  net/netfilter/core.c | 59 +++-------------------------------------------------
  21  1 file changed, 3 insertions(+), 56 deletions(-)
  22
  23 --- a/net/netfilter/core.c
  24 +++ b/net/netfilter/core.c
  25 @@ -395,63 +395,10 @@ EXPORT_SYMBOL(nf_register_net_hooks);
  26  void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
  27                              unsigned int hookcount)
  28  {
  29 -       struct nf_hook_entries *to_free[16], *p;
  30 -       struct nf_hook_entries __rcu **pp;
  31 -       unsigned int i, j, n;
  32 +       unsigned int i;
  33
  34 -       mutex_lock(&nf_hook_mutex);
  35 -       for (i = 0; i < hookcount; i++) {
  36 -               pp = nf_hook_entry_head(net, &reg[i]);
  37 -               if (!pp)
  38 -                       continue;
  39 -
  40 -               p = nf_entry_dereference(*pp);
  41 -               if (WARN_ON_ONCE(!p))
  42 -                       continue;
  43 -               __nf_unregister_net_hook(p, &reg[i]);
  44 -       }
  45 -       mutex_unlock(&nf_hook_mutex);
  46 -
  47 -       do {
  48 -               n = min_t(unsigned int, hookcount, ARRAY_SIZE(to_free));
  49 -
  50 -               mutex_lock(&nf_hook_mutex);
  51 -
  52 -               for (i = 0, j = 0; i < hookcount && j < n; i++) {
  53 -                       pp = nf_hook_entry_head(net, &reg[i]);
  54 -                       if (!pp)
  55 -                               continue;
  56 -
  57 -                       p = nf_entry_dereference(*pp);
  58 -                       if (!p)
  59 -                               continue;
  60 -
  61 -                       to_free[j] = __nf_hook_entries_try_shrink(pp);
  62 -                       if (to_free[j])
  63 -                               ++j;
  64 -               }
  65 -
  66 -               mutex_unlock(&nf_hook_mutex);
  67 -
  68 -               if (j) {
  69 -                       unsigned int nfq;
  70 -
  71 -                       synchronize_net();
  72 -
  73 -                       /* need 2nd synchronize_net() if nfqueue is used, skb
  74 -                        * can get reinjected right before nf_queue_hook_drop()
  75 -                        */
  76 -                       nfq = nf_queue_nf_hook_drop(net);
  77 -                       if (nfq)
  78 -                               synchronize_net();
  79 -
  80 -                       for (i = 0; i < j; i++)
  81 -                               kvfree(to_free[i]);
  82 -               }
  83 -
  84 -               reg += n;
  85 -               hookcount -= n;
  86 -       } while (hookcount > 0);
  87 +       for (i = 0; i < hookcount; i++)
  88 +               nf_unregister_net_hook(net, &reg[i]);
  89  }
  90  EXPORT_SYMBOL(nf_unregister_net_hooks);
  91