* [PATCH net 0/3] Netfilter fixes for net
@ 2024-02-14 23:38 Pablo Neira Ayuso
2024-02-14 23:38 ` [PATCH net 1/3] netfilter: nft_set_pipapo: fix missing : in kdoc Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2024-02-14 23:38 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw
Hi,
The following batch contains Netfilter fixes for net:
1) Missing : in kdoc field in nft_set_pipapo.
2) Restore default DNAT behavior When a DNAT rule is configured via
iptables with different port ranges, from Kyle Swenson.
3) Restore flowtable hardware offload for bidirectional flows
by setting NF_FLOW_HW_BIDIRECTIONAL flag, from Felix Fietkau.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-02-15
Thanks.
----------------------------------------------------------------
The following changes since commit 9b23fceb4158a3636ce4a2bda28ab03dcfa6a26f:
ethernet: cpts: fix function pointer cast warnings (2024-02-14 12:50:53 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-02-15
for you to fetch changes up to 84443741faab9045d53f022a9ac6a6633067a481:
netfilter: nf_tables: fix bidirectional offload regression (2024-02-15 00:20:00 +0100)
----------------------------------------------------------------
netfilter pull request 24-02-15
----------------------------------------------------------------
Felix Fietkau (1):
netfilter: nf_tables: fix bidirectional offload regression
Kyle Swenson (1):
netfilter: nat: restore default DNAT behavior
Pablo Neira Ayuso (1):
netfilter: nft_set_pipapo: fix missing : in kdoc
net/netfilter/nf_nat_core.c | 5 ++++-
net/netfilter/nft_flow_offload.c | 1 +
net/netfilter/nft_set_pipapo.h | 4 ++--
3 files changed, 7 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net 1/3] netfilter: nft_set_pipapo: fix missing : in kdoc
2024-02-14 23:38 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
@ 2024-02-14 23:38 ` Pablo Neira Ayuso
2024-02-15 12:00 ` patchwork-bot+netdevbpf
2024-02-14 23:38 ` [PATCH net 2/3] netfilter: nat: restore default DNAT behavior Pablo Neira Ayuso
2024-02-14 23:38 ` [PATCH net 3/3] netfilter: nf_tables: fix bidirectional offload regression Pablo Neira Ayuso
2 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2024-02-14 23:38 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw
Add missing : in kdoc field names.
Fixes: 8683f4b9950d ("nft_set_pipapo: Prepare for vectorised implementation: helpers")
Reported-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_set_pipapo.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_set_pipapo.h b/net/netfilter/nft_set_pipapo.h
index f59a0cd81105..3842c7341a9f 100644
--- a/net/netfilter/nft_set_pipapo.h
+++ b/net/netfilter/nft_set_pipapo.h
@@ -144,10 +144,10 @@ struct nft_pipapo_scratch {
/**
* struct nft_pipapo_match - Data used for lookup and matching
- * @field_count Amount of fields in set
+ * @field_count: Amount of fields in set
* @scratch: Preallocated per-CPU maps for partial matching results
* @bsize_max: Maximum lookup table bucket size of all fields, in longs
- * @rcu Matching data is swapped on commits
+ * @rcu: Matching data is swapped on commits
* @f: Fields, with lookup and mapping tables
*/
struct nft_pipapo_match {
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 2/3] netfilter: nat: restore default DNAT behavior
2024-02-14 23:38 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2024-02-14 23:38 ` [PATCH net 1/3] netfilter: nft_set_pipapo: fix missing : in kdoc Pablo Neira Ayuso
@ 2024-02-14 23:38 ` Pablo Neira Ayuso
2024-02-14 23:38 ` [PATCH net 3/3] netfilter: nf_tables: fix bidirectional offload regression Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2024-02-14 23:38 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw
From: Kyle Swenson <kyle.swenson@est.tech>
When a DNAT rule is configured via iptables with different port ranges,
iptables -t nat -A PREROUTING -p tcp -d 10.0.0.2 -m tcp --dport 32000:32010
-j DNAT --to-destination 192.168.0.10:21000-21010
we seem to be DNATing to some random port on the LAN side. While this is
expected if --random is passed to the iptables command, it is not
expected without passing --random. The expected behavior (and the
observed behavior prior to the commit in the "Fixes" tag) is the traffic
will be DNAT'd to 192.168.0.10:21000 unless there is a tuple collision
with that destination. In that case, we expect the traffic to be
instead DNAT'd to 192.168.0.10:21001, so on so forth until the end of
the range.
This patch intends to restore the behavior observed prior to the "Fixes"
tag.
Fixes: 6ed5943f8735 ("netfilter: nat: remove l4 protocol port rovers")
Signed-off-by: Kyle Swenson <kyle.swenson@est.tech>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_nat_core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index c3d7ecbc777c..016c816d91cb 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -551,8 +551,11 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
find_free_id:
if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
- else
+ else if ((range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL) ||
+ maniptype != NF_NAT_MANIP_DST)
off = get_random_u16();
+ else
+ off = 0;
attempts = range_size;
if (attempts > NF_NAT_MAX_ATTEMPTS)
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 3/3] netfilter: nf_tables: fix bidirectional offload regression
2024-02-14 23:38 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2024-02-14 23:38 ` [PATCH net 1/3] netfilter: nft_set_pipapo: fix missing : in kdoc Pablo Neira Ayuso
2024-02-14 23:38 ` [PATCH net 2/3] netfilter: nat: restore default DNAT behavior Pablo Neira Ayuso
@ 2024-02-14 23:38 ` Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2024-02-14 23:38 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw
From: Felix Fietkau <nbd@nbd.name>
Commit 8f84780b84d6 ("netfilter: flowtable: allow unidirectional rules")
made unidirectional flow offload possible, while completely ignoring (and
breaking) bidirectional flow offload for nftables.
Add the missing flag that was left out as an exercise for the reader :)
Cc: Vlad Buslov <vladbu@nvidia.com>
Fixes: 8f84780b84d6 ("netfilter: flowtable: allow unidirectional rules")
Reported-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_flow_offload.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 397351fa4d5f..ab9576098701 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -361,6 +361,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
}
+ __set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags);
ret = flow_offload_add(flowtable, flow);
if (ret < 0)
goto err_flow_add;
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net 1/3] netfilter: nft_set_pipapo: fix missing : in kdoc
2024-02-14 23:38 ` [PATCH net 1/3] netfilter: nft_set_pipapo: fix missing : in kdoc Pablo Neira Ayuso
@ 2024-02-15 12:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-02-15 12:00 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, davem, netdev, kuba, pabeni, edumazet, fw
Hello:
This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:
On Thu, 15 Feb 2024 00:38:16 +0100 you wrote:
> Add missing : in kdoc field names.
>
> Fixes: 8683f4b9950d ("nft_set_pipapo: Prepare for vectorised implementation: helpers")
> Reported-by: Paolo Abeni <pabeni@redhat.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> net/netfilter/nft_set_pipapo.h | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
Here is the summary with links:
- [net,1/3] netfilter: nft_set_pipapo: fix missing : in kdoc
https://git.kernel.org/netdev/net/c/f6374a82fc85
- [net,2/3] netfilter: nat: restore default DNAT behavior
https://git.kernel.org/netdev/net/c/0f1ae2821fa4
- [net,3/3] netfilter: nf_tables: fix bidirectional offload regression
https://git.kernel.org/netdev/net/c/84443741faab
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-02-15 12:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-14 23:38 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2024-02-14 23:38 ` [PATCH net 1/3] netfilter: nft_set_pipapo: fix missing : in kdoc Pablo Neira Ayuso
2024-02-15 12:00 ` patchwork-bot+netdevbpf
2024-02-14 23:38 ` [PATCH net 2/3] netfilter: nat: restore default DNAT behavior Pablo Neira Ayuso
2024-02-14 23:38 ` [PATCH net 3/3] netfilter: nf_tables: fix bidirectional offload regression Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.