netfilter: nf_tables: allow clone callbacks to sleep
Sven Auhagen reports transaction failures with following error: ./main.nft:13:1-26: Error: Could not process rule: Cannot allocate memory percpu: allocation failed, size=16 align=8 atomic=1, atomic alloc failed, no space left This points to failing pcpu allocation with GFP_ATOMIC flag. However, transactions happen from user context and are allowed to sleep. One case where we can call into percpu allocator with GFP_ATOMIC is nft_counter expression. Normally this happens from control plane, so this could use GFP_KERNEL instead. But one use case, element insertion from packet path, needs to use GFP_ATOMIC allocations (nft_dynset expression). At this time, .clone callbacks always use GFP_ATOMIC for this reason. Add gfp_t argument to the .clone function and pass GFP_KERNEL or GFP_ATOMIC flag depending on context, this allows all clone memory allocations to sleep for the normal (transaction) case. Cc: Sven Auhagen <sven.auhagen@voleatech.de> Signed-off-by:Florian Westphal <fw@strlen.de> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>
Showing
- include/net/netfilter/nf_tables.h 2 additions, 2 deletionsinclude/net/netfilter/nf_tables.h
- net/netfilter/nf_tables_api.c 4 additions, 4 deletionsnet/netfilter/nf_tables_api.c
- net/netfilter/nft_connlimit.c 2 additions, 2 deletionsnet/netfilter/nft_connlimit.c
- net/netfilter/nft_counter.c 2 additions, 2 deletionsnet/netfilter/nft_counter.c
- net/netfilter/nft_dynset.c 1 addition, 1 deletionnet/netfilter/nft_dynset.c
- net/netfilter/nft_last.c 2 additions, 2 deletionsnet/netfilter/nft_last.c
- net/netfilter/nft_limit.c 8 additions, 6 deletionsnet/netfilter/nft_limit.c
- net/netfilter/nft_quota.c 2 additions, 2 deletionsnet/netfilter/nft_quota.c
Loading
Please register or sign in to comment