The per-CPU xt_recseq is a custom netfilter seqcount. It provides synchronisation for the replacement of the xt_table::private pointer and ensures that the two counter in xt_counters are properly observed during an update on 32bit architectures. xt_recseq also supports recursion. This construct is less than optimal on PREMPT_RT because the lack of an associated lock (with the seqcount) can lead to a deadlock if a high priority reader interrupts a writer. Also xt_recseq relies on locking with BH-disable which becomes problematic if the lock, currently part of local_bh_disable() on PREEMPT_RT, gets removed. Based on discussion with Pablo and Florian the legacy code is disabled on PREEMPT_RT. I picked up the patches referenced by Florian and tried to fix them up as suggested plus the bits we talked about. v2…v3 https://lore.kernel.org/all/20250221133143.5058-1-bigeasy@xxxxxxxxxxxxx/ - Instead of getting LEGACY code to work for PREEMPT_RT the code is now disabled on PREEMPT_RT. Since the long term plan is to get rid of it anyway, it might be less painful for everyone. v1…v2 https://lore.kernel.org/all/20250216125135.3037967-1-bigeasy@xxxxxxxxxxxxx/ - Updated kerneldoc in 2/3 so that the renamed parameter is part of it. - Updated description 1/3 in case there are complains regarding the synchronize_rcu(). The suggested course of action is to motivate people to move away from "legacy" towards "nft" tooling. Last resort is not to wait for the in-flight counter and just copy what is there. Pablo Neira Ayuso (1): netfilter: replace select by depends on for IP{6}_NF_IPTABLES_LEGACY Sebastian Andrzej Siewior (2): netfilter: Let IP6_NF_IPTABLES_LEGACY select IP6_NF_IPTABLES. netfilter: Introduce NETFILTER_LEGACY to group all legacy code. net/Kconfig | 10 ++++++++++ net/bridge/netfilter/Kconfig | 8 ++++---- net/ipv4/netfilter/Kconfig | 15 ++++++++------- net/ipv6/netfilter/Kconfig | 13 +++++++------ net/netfilter/x_tables.c | 16 +++++++++++----- 5 files changed, 40 insertions(+), 22 deletions(-) -- 2.49.0
