Hi Sebastian, On Thu, Mar 20, 2025 at 01:41:26PM +0100, Pablo Neira Ayuso wrote: > On Thu, Mar 13, 2025 at 09:34:40AM +0100, Sebastian Andrzej Siewior wrote: > > On 2025-03-13 00:16:03 [+0100], Pablo Neira Ayuso wrote: > > > Kconfig !PREEMPT_RT for this is not an option, right? > > > > That bad? I though it would make you happy ;) > > Making it !PREEMPT_RT would essentially disable the whole nf-legacy > > interface. Given that it is intended to get rid of it eventually it > > might be an option. I mean there is nothing you can do with > > iptables-legacy that you can't do with iptables-nft? > > I mean if this is not going to happen because of $reasons then that > > would be the next best thing. > > We could give a try to this series and see. I have been discussing this with Florian, our proposal: 1. Make ipatbles legacy depend on !PREEMPT_RT which effectively disabled iptables classic for RT. This should be ok, iptables-nft should work for RT. 2. make iptables-legacy user-selectable. these two are relatively simple. If this does not make you happy, it should be possible to take your patches plus hide synchronize_rcu() latency behind deferred free (call_rcu+workqueue). As this looks now, I am afraid chances are high that this series will require a follow up. Thanks.
