Re: [PATCH nf] netfilter: nft_compat: remove flush counter optimization
From: Pablo Neira Ayuso
Date: Mon Aug 10 2020 - 07:03:59 EST
On Sun, Aug 09, 2020 at 08:28:01PM +0200, Florian Westphal wrote:
> WARNING: CPU: 1 PID: 16059 at lib/refcount.c:31 refcount_warn_saturate+0xdf/0xf
> [..]
> __nft_mt_tg_destroy+0x42/0x50 [nft_compat]
> nft_target_destroy+0x63/0x80 [nft_compat]
> nf_tables_expr_destroy+0x1b/0x30 [nf_tables]
> nf_tables_rule_destroy+0x3a/0x70 [nf_tables]
> nf_tables_exit_net+0x186/0x3d0 [nf_tables]
>
> Happens when a compat expr is destoyed from abort path.
> There is no functional impact; after this work queue is flushed
> unconditionally if its pending.
>
> This removes the waitcount optimization. Test of repeated
> iptables-restore of a ~60k kubernetes ruleset doesn't indicate
> a slowdown. In case the counter is needed after all for some workloads
> we can revert this and increment the refcount for the
> != NFT_PREPARE_TRANS case to avoid the increment/decrement imbalance.
>
> While at it, also flush for match case, this was an oversight
> in the original patch.
Applied, thanks.