netfilter: nf_tables: do not remove elements if set backend implements .abort

commit ebd032fa881882fef2acb9da1bbde48d8233241d upstream.

pipapo set backend maintains two copies of the datastructure, removing
the elements from the copy that is going to be discarded slows down
the abort path significantly, from several minutes to few seconds after
this patch.

Fixes: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 8a4cd1c16e0e4678a55dcba8eec56cf52bed641e..cd4318cbcaa395997689a23b67a3948db7d9f1a2 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9713,7 +9713,10 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
                                break;
                        }
                        te = (struct nft_trans_elem *)trans->data;
-                       nft_setelem_remove(net, te->set, &te->elem);
+                       if (!te->set->ops->abort ||
+                           nft_setelem_is_catchall(te->set, &te->elem))
+                               nft_setelem_remove(net, te->set, &te->elem);
+
                        if (!nft_setelem_is_catchall(te->set, &te->elem))
                                atomic_dec(&te->set->nelems);