From: Ilya Leoshkevich <iii@linux.ibm.com>
To: Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>
Cc: bpf@vger.kernel.org, Heiko Carstens <hca@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
fw@strlen.de, pablo@netfilter.org
Subject: Re: [PATCH bpf-next 02/11] net: netfilter: Adjust timeouts of non-confirmed CTs in bpf_ct_insert_entry()
Date: Sun, 03 Sep 2023 10:23:23 +0200 [thread overview]
Message-ID: <f7cdb053779c7b47042fbb7a5ba46edc67b9aa8f.camel@linux.ibm.com> (raw)
In-Reply-To: <08f2e910-2bd8-8cf6-688b-4bdf0161c969@iogearbox.net>
On Thu, 2023-08-31 at 17:30 +0200, Daniel Borkmann wrote:
> [ +Florian ]
>
> On 8/30/23 3:07 AM, Ilya Leoshkevich wrote:
> > bpf_nf testcase fails on s390x: bpf_skb_ct_lookup() cannot find the
> > entry that was added by bpf_ct_insert_entry() within the same BPF
> > function.
> >
> > The reason is that this entry is deleted by nf_ct_gc_expired().
> >
> > The CT timeout starts ticking after the CT confirmation; therefore
> > nf_conn.timeout is initially set to the timeout value, and
> > __nf_conntrack_confirm() sets it to the deadline value.
> > bpf_ct_insert_entry() sets IPS_CONFIRMED_BIT, but does not adjust
> > the
> > timeout, making its value meaningless and causing false positives.
> >
> > Fix the problem by making bpf_ct_insert_entry() adjust the timeout,
> > like __nf_conntrack_confirm().
> >
> > Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
>
> Should we route this fix via bpf tree instead? Also, could you reply
> with
> a Fixes tag?
Yes, putting this into the bpf tree makes sense to me. Should I resend
with a different subject-prefix?
Fixes: 2cdaa3eefed8 ("netfilter: conntrack: restore IPS_CONFIRMED out
of nf_conntrack_hash_check_insert()")
[...]
next prev parent reply other threads:[~2023-09-03 8:23 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-30 1:07 [PATCH bpf-next 00/11] Implement cpuv4 support for s390x Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 01/11] bpf: Disable zero-extension for BPF_MEMSX Ilya Leoshkevich
2023-09-01 10:40 ` Yonghong Song
2023-09-01 14:19 ` Puranjay Mohan
2023-09-01 14:56 ` Puranjay Mohan
2023-09-07 0:39 ` Alexei Starovoitov
2023-09-07 7:33 ` Puranjay Mohan
2023-09-07 15:36 ` Alexei Starovoitov
2023-09-07 16:39 ` Puranjay Mohan
2023-09-07 22:45 ` Alexei Starovoitov
2023-09-07 22:57 ` Puranjay Mohan
2023-09-12 22:49 ` Puranjay Mohan
2023-09-13 0:09 ` Alexei Starovoitov
2023-09-13 0:22 ` Puranjay Mohan
2023-09-13 1:49 ` Alexei Starovoitov
2023-09-13 6:10 ` Christophe Leroy
2023-09-03 8:16 ` Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 02/11] net: netfilter: Adjust timeouts of non-confirmed CTs in bpf_ct_insert_entry() Ilya Leoshkevich
2023-08-31 15:30 ` Daniel Borkmann
2023-09-03 8:23 ` Ilya Leoshkevich [this message]
2023-08-30 1:07 ` [PATCH bpf-next 03/11] selftests/bpf: Unmount the cgroup2 work directory Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 04/11] selftests/bpf: Add big-endian support to the ldsx test Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 05/11] s390/bpf: Implement BPF_MOV | BPF_X with sign-extension Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 06/11] s390/bpf: Implement BPF_MEMSX Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 07/11] s390/bpf: Implement unconditional byte swap Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 08/11] s390/bpf: Implement unconditional jump with 32-bit offset Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 09/11] s390/bpf: Implement signed division Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 10/11] selftests/bpf: Enable the cpuv4 tests for s390x Ilya Leoshkevich
2023-09-01 10:41 ` Yonghong Song
2023-08-30 1:07 ` [PATCH bpf-next 11/11] selftests/bpf: Trim DENYLIST.s390x Ilya Leoshkevich
2023-09-14 13:00 ` [PATCH bpf-next 00/11] Implement cpuv4 support for s390x patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f7cdb053779c7b47042fbb7a5ba46edc67b9aa8f.camel@linux.ibm.com \
--to=iii@linux.ibm.com \
--cc=agordeev@linux.ibm.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=fw@strlen.de \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.