* [PATCH net 0/7] Netfilter fixes for net
@ 2022-06-06 21:20 Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 1/7] netfilter: nat: really support inet nat without l3 address Pablo Neira Ayuso
` (6 more replies)
0 siblings, 7 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-06 21:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
1) Fix NAT support for NFPROTO_INET without layer 3 address,
from Florian Westphal.
2) Use kfree_rcu(ptr, rcu) variant in nf_tables clean_net path.
3) Use list to collect flowtable hooks to be deleted.
4) Initialize list of hook field in flowtable transaction.
5) Release hooks on error for flowtable updates.
6) Memleak in hardware offload rule commit and abort paths.
7) Early bail out in case device does not support for hardware offload.
This adds a new interface to net/core/flow_offload.c to check if the
flow indirect block list is empty.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 0a375c822497ed6ad6b5da0792a12a6f1af10c0b:
tcp: tcp_rtx_synack() can be called from process context (2022-05-31 21:40:10 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to 3a41c64d9c1185a2f3a184015e2a9b78bfc99c71:
netfilter: nf_tables: bail out early if hardware offload is not supported (2022-06-06 19:19:15 +0200)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: nat: really support inet nat without l3 address
Pablo Neira Ayuso (6):
netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path
netfilter: nf_tables: delete flowtable hooks via transaction list
netfilter: nf_tables: always initialize flowtable hook list in transaction
netfilter: nf_tables: release new hooks on unsupported flowtable flags
netfilter: nf_tables: memleak flow rule from commit path
netfilter: nf_tables: bail out early if hardware offload is not supported
include/net/flow_offload.h | 1 +
include/net/netfilter/nf_tables.h | 1 -
include/net/netfilter/nf_tables_offload.h | 2 +-
net/core/flow_offload.c | 6 ++++
net/netfilter/nf_tables_api.c | 54 ++++++++++++----------------
net/netfilter/nf_tables_offload.c | 23 +++++++++++-
net/netfilter/nft_nat.c | 3 +-
tools/testing/selftests/netfilter/nft_nat.sh | 43 ++++++++++++++++++++++
8 files changed, 98 insertions(+), 35 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 1/7] netfilter: nat: really support inet nat without l3 address
2022-06-06 21:20 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso
@ 2022-06-06 21:20 ` Pablo Neira Ayuso
2022-06-08 1:20 ` patchwork-bot+netdevbpf
2022-06-06 21:20 ` [PATCH net 2/7] netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path Pablo Neira Ayuso
` (5 subsequent siblings)
6 siblings, 1 reply; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-06 21:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Florian Westphal <fw@strlen.de>
When no l3 address is given, priv->family is set to NFPROTO_INET and
the evaluation function isn't called.
Call it too so l4-only rewrite can work.
Also add a test case for this.
Fixes: a33f387ecd5aa ("netfilter: nft_nat: allow to specify layer 4 protocol NAT only")
Reported-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_nat.c | 3 +-
tools/testing/selftests/netfilter/nft_nat.sh | 43 ++++++++++++++++++++
2 files changed, 45 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index 4394df4bc99b..e5fd6995e4bf 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -335,7 +335,8 @@ static void nft_nat_inet_eval(const struct nft_expr *expr,
{
const struct nft_nat *priv = nft_expr_priv(expr);
- if (priv->family == nft_pf(pkt))
+ if (priv->family == nft_pf(pkt) ||
+ priv->family == NFPROTO_INET)
nft_nat_eval(expr, regs, pkt);
}
diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh
index eb8543b9a5c4..924ecb3f1f73 100755
--- a/tools/testing/selftests/netfilter/nft_nat.sh
+++ b/tools/testing/selftests/netfilter/nft_nat.sh
@@ -374,6 +374,45 @@ EOF
return $lret
}
+test_local_dnat_portonly()
+{
+ local family=$1
+ local daddr=$2
+ local lret=0
+ local sr_s
+ local sr_r
+
+ip netns exec "$ns0" nft -f /dev/stdin <<EOF
+table $family nat {
+ chain output {
+ type nat hook output priority 0; policy accept;
+ meta l4proto tcp dnat to :2000
+
+ }
+}
+EOF
+ if [ $? -ne 0 ]; then
+ if [ $family = "inet" ];then
+ echo "SKIP: inet port test"
+ test_inet_nat=false
+ return
+ fi
+ echo "SKIP: Could not add $family dnat hook"
+ return
+ fi
+
+ echo SERVER-$family | ip netns exec "$ns1" timeout 5 socat -u STDIN TCP-LISTEN:2000 &
+ sc_s=$!
+
+ result=$(ip netns exec "$ns0" timeout 1 socat TCP:$daddr:2000 STDOUT)
+
+ if [ "$result" = "SERVER-inet" ];then
+ echo "PASS: inet port rewrite without l3 address"
+ else
+ echo "ERROR: inet port rewrite"
+ ret=1
+ fi
+}
test_masquerade6()
{
@@ -1148,6 +1187,10 @@ fi
reset_counters
test_local_dnat ip
test_local_dnat6 ip6
+
+reset_counters
+test_local_dnat_portonly inet 10.0.1.99
+
reset_counters
$test_inet_nat && test_local_dnat inet
$test_inet_nat && test_local_dnat6 inet
--
2.30.2
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH net 1/7] netfilter: nat: really support inet nat without l3 address
2022-06-06 21:20 ` [PATCH net 1/7] netfilter: nat: really support inet nat without l3 address Pablo Neira Ayuso
@ 2022-06-08 1:20 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 20+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-06-08 1:20 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba, pabeni, edumazet
Hello:
This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:
On Mon, 6 Jun 2022 23:20:49 +0200 you wrote:
> From: Florian Westphal <fw@strlen.de>
>
> When no l3 address is given, priv->family is set to NFPROTO_INET and
> the evaluation function isn't called.
>
> Call it too so l4-only rewrite can work.
> Also add a test case for this.
>
> [...]
Here is the summary with links:
- [net,1/7] netfilter: nat: really support inet nat without l3 address
https://git.kernel.org/netdev/net/c/282e5f8fe907
- [net,2/7] netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path
https://git.kernel.org/netdev/net/c/ab5e5c062f67
- [net,3/7] netfilter: nf_tables: delete flowtable hooks via transaction list
https://git.kernel.org/netdev/net/c/b6d9014a3335
- [net,4/7] netfilter: nf_tables: always initialize flowtable hook list in transaction
https://git.kernel.org/netdev/net/c/2c9e4559773c
- [net,5/7] netfilter: nf_tables: release new hooks on unsupported flowtable flags
https://git.kernel.org/netdev/net/c/c271cc9febaa
- [net,6/7] netfilter: nf_tables: memleak flow rule from commit path
https://git.kernel.org/netdev/net/c/9dd732e0bdf5
- [net,7/7] netfilter: nf_tables: bail out early if hardware offload is not supported
https://git.kernel.org/netdev/net/c/3a41c64d9c11
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 2/7] netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path
2022-06-06 21:20 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 1/7] netfilter: nat: really support inet nat without l3 address Pablo Neira Ayuso
@ 2022-06-06 21:20 ` Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 3/7] netfilter: nf_tables: delete flowtable hooks via transaction list Pablo Neira Ayuso
` (4 subsequent siblings)
6 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-06 21:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Use kfree_rcu(ptr, rcu) variant instead as described by ae089831ff28
("netfilter: nf_tables: prefer kfree_rcu(ptr, rcu) variant").
Fixes: f9a43007d3f7 ("netfilter: nf_tables: double hook unregistration in netns path")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 746be13438ef..129d3ebd6ce5 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7332,7 +7332,7 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net,
nf_unregister_net_hook(net, &hook->ops);
if (release_netdev) {
list_del(&hook->list);
- kfree_rcu(hook);
+ kfree_rcu(hook, rcu);
}
}
}
--
2.30.2
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH net 3/7] netfilter: nf_tables: delete flowtable hooks via transaction list
2022-06-06 21:20 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 1/7] netfilter: nat: really support inet nat without l3 address Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 2/7] netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path Pablo Neira Ayuso
@ 2022-06-06 21:20 ` Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 4/7] netfilter: nf_tables: always initialize flowtable hook list in transaction Pablo Neira Ayuso
` (3 subsequent siblings)
6 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-06 21:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Remove inactive bool field in nft_hook object that was introduced in
abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable").
Move stale flowtable hooks to transaction list instead.
Deleting twice the same device does not result in ENOENT.
Fixes: abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 1 -
net/netfilter/nf_tables_api.c | 31 ++++++-------------------------
2 files changed, 6 insertions(+), 26 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 20af9d3557b9..279ae0fff7ad 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1090,7 +1090,6 @@ struct nft_stats {
struct nft_hook {
struct list_head list;
- bool inactive;
struct nf_hook_ops ops;
struct rcu_head rcu;
};
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 129d3ebd6ce5..30588349f96c 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1914,7 +1914,6 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
goto err_hook_dev;
}
hook->ops.dev = dev;
- hook->inactive = false;
return hook;
@@ -7618,6 +7617,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx,
{
const struct nlattr * const *nla = ctx->nla;
struct nft_flowtable_hook flowtable_hook;
+ LIST_HEAD(flowtable_del_list);
struct nft_hook *this, *hook;
struct nft_trans *trans;
int err;
@@ -7633,7 +7633,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx,
err = -ENOENT;
goto err_flowtable_del_hook;
}
- hook->inactive = true;
+ list_move(&hook->list, &flowtable_del_list);
}
trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
@@ -7646,6 +7646,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx,
nft_trans_flowtable(trans) = flowtable;
nft_trans_flowtable_update(trans) = true;
INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
+ list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
nft_flowtable_hook_release(&flowtable_hook);
nft_trans_commit_list_add_tail(ctx->net, trans);
@@ -7653,13 +7654,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx,
return 0;
err_flowtable_del_hook:
- list_for_each_entry(this, &flowtable_hook.list, list) {
- hook = nft_hook_list_find(&flowtable->hook_list, this);
- if (!hook)
- break;
-
- hook->inactive = false;
- }
+ list_splice(&flowtable_del_list, &flowtable->hook_list);
nft_flowtable_hook_release(&flowtable_hook);
return err;
@@ -8563,17 +8558,6 @@ void nft_chain_del(struct nft_chain *chain)
list_del_rcu(&chain->list);
}
-static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
- struct list_head *hook_list)
-{
- struct nft_hook *hook, *next;
-
- list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
- if (hook->inactive)
- list_move(&hook->list, hook_list);
- }
-}
-
static void nf_tables_module_autoload_cleanup(struct net *net)
{
struct nftables_pernet *nft_net = nft_pernet(net);
@@ -8918,8 +8902,6 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
break;
case NFT_MSG_DELFLOWTABLE:
if (nft_trans_flowtable_update(trans)) {
- nft_flowtable_hooks_del(nft_trans_flowtable(trans),
- &nft_trans_flowtable_hooks(trans));
nf_tables_flowtable_notify(&trans->ctx,
nft_trans_flowtable(trans),
&nft_trans_flowtable_hooks(trans),
@@ -9000,7 +8982,6 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
struct nftables_pernet *nft_net = nft_pernet(net);
struct nft_trans *trans, *next;
struct nft_trans_elem *te;
- struct nft_hook *hook;
if (action == NFNL_ABORT_VALIDATE &&
nf_tables_validate(net) < 0)
@@ -9131,8 +9112,8 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
break;
case NFT_MSG_DELFLOWTABLE:
if (nft_trans_flowtable_update(trans)) {
- list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
- hook->inactive = false;
+ list_splice(&nft_trans_flowtable_hooks(trans),
+ &nft_trans_flowtable(trans)->hook_list);
} else {
trans->ctx.table->use++;
nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
--
2.30.2
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH net 4/7] netfilter: nf_tables: always initialize flowtable hook list in transaction
2022-06-06 21:20 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2022-06-06 21:20 ` [PATCH net 3/7] netfilter: nf_tables: delete flowtable hooks via transaction list Pablo Neira Ayuso
@ 2022-06-06 21:20 ` Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 5/7] netfilter: nf_tables: release new hooks on unsupported flowtable flags Pablo Neira Ayuso
` (2 subsequent siblings)
6 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-06 21:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
The hook list is used if nft_trans_flowtable_update(trans) == true. However,
initialize this list for other cases for safety reasons.
Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 30588349f96c..2faa77cd2fe2 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -544,6 +544,7 @@ static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
if (msg_type == NFT_MSG_NEWFLOWTABLE)
nft_activate_next(ctx->net, flowtable);
+ INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
nft_trans_flowtable(trans) = flowtable;
nft_trans_commit_list_add_tail(ctx->net, trans);
--
2.30.2
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH net 5/7] netfilter: nf_tables: release new hooks on unsupported flowtable flags
2022-06-06 21:20 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2022-06-06 21:20 ` [PATCH net 4/7] netfilter: nf_tables: always initialize flowtable hook list in transaction Pablo Neira Ayuso
@ 2022-06-06 21:20 ` Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 6/7] netfilter: nf_tables: memleak flow rule from commit path Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 7/7] netfilter: nf_tables: bail out early if hardware offload is not supported Pablo Neira Ayuso
6 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-06 21:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Release the list of new hooks that are pending to be registered in case
that unsupported flowtable flags are provided.
Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2faa77cd2fe2..252796a99f5e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7433,11 +7433,15 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
if (nla[NFTA_FLOWTABLE_FLAGS]) {
flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
- if (flags & ~NFT_FLOWTABLE_MASK)
- return -EOPNOTSUPP;
+ if (flags & ~NFT_FLOWTABLE_MASK) {
+ err = -EOPNOTSUPP;
+ goto err_flowtable_update_hook;
+ }
if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
- (flags & NFT_FLOWTABLE_HW_OFFLOAD))
- return -EOPNOTSUPP;
+ (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
+ err = -EOPNOTSUPP;
+ goto err_flowtable_update_hook;
+ }
} else {
flags = flowtable->data.flags;
}
--
2.30.2
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH net 6/7] netfilter: nf_tables: memleak flow rule from commit path
2022-06-06 21:20 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2022-06-06 21:20 ` [PATCH net 5/7] netfilter: nf_tables: release new hooks on unsupported flowtable flags Pablo Neira Ayuso
@ 2022-06-06 21:20 ` Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 7/7] netfilter: nf_tables: bail out early if hardware offload is not supported Pablo Neira Ayuso
6 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-06 21:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Abort path release flow rule object, however, commit path does not.
Update code to destroy these objects before releasing the transaction.
Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 252796a99f5e..1a6a21bfb18d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8329,6 +8329,9 @@ static void nft_commit_release(struct nft_trans *trans)
nf_tables_chain_destroy(&trans->ctx);
break;
case NFT_MSG_DELRULE:
+ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
+ nft_flow_rule_destroy(nft_trans_flow_rule(trans));
+
nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
break;
case NFT_MSG_DELSET:
@@ -8817,6 +8820,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
nf_tables_rule_notify(&trans->ctx,
nft_trans_rule(trans),
NFT_MSG_NEWRULE);
+ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
+ nft_flow_rule_destroy(nft_trans_flow_rule(trans));
+
nft_trans_destroy(trans);
break;
case NFT_MSG_DELRULE:
--
2.30.2
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH net 7/7] netfilter: nf_tables: bail out early if hardware offload is not supported
2022-06-06 21:20 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (5 preceding siblings ...)
2022-06-06 21:20 ` [PATCH net 6/7] netfilter: nf_tables: memleak flow rule from commit path Pablo Neira Ayuso
@ 2022-06-06 21:20 ` Pablo Neira Ayuso
2022-06-08 1:00 ` Jakub Kicinski
6 siblings, 1 reply; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-06 21:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
If user requests for NFT_CHAIN_HW_OFFLOAD, then check if either device
provides the .ndo_setup_tc interface or there is an indirect flow block
that has been registered. Otherwise, bail out early from the preparation
phase. Moreover, validate that family == NFPROTO_NETDEV and hook is
NF_NETDEV_INGRESS.
Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/flow_offload.h | 1 +
include/net/netfilter/nf_tables_offload.h | 2 +-
net/core/flow_offload.c | 6 ++++++
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/nf_tables_offload.c | 23 ++++++++++++++++++++++-
5 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h
index 021778a7e1af..6484095a8c01 100644
--- a/include/net/flow_offload.h
+++ b/include/net/flow_offload.h
@@ -612,5 +612,6 @@ int flow_indr_dev_setup_offload(struct net_device *dev, struct Qdisc *sch,
enum tc_setup_type type, void *data,
struct flow_block_offload *bo,
void (*cleanup)(struct flow_block_cb *block_cb));
+bool flow_indr_dev_exists(void);
#endif /* _NET_FLOW_OFFLOAD_H */
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index 797147843958..3568b6a2f5f0 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -92,7 +92,7 @@ int nft_flow_rule_offload_commit(struct net *net);
NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg) \
memset(&(__reg)->mask, 0xff, (__reg)->len);
-int nft_chain_offload_priority(struct nft_base_chain *basechain);
+bool nft_chain_offload_support(const struct nft_base_chain *basechain);
int nft_offload_init(void);
void nft_offload_exit(void);
diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c
index 73f68d4625f3..929f6379a279 100644
--- a/net/core/flow_offload.c
+++ b/net/core/flow_offload.c
@@ -595,3 +595,9 @@ int flow_indr_dev_setup_offload(struct net_device *dev, struct Qdisc *sch,
return (bo && list_empty(&bo->cb_list)) ? -EOPNOTSUPP : count;
}
EXPORT_SYMBOL(flow_indr_dev_setup_offload);
+
+bool flow_indr_dev_exists(void)
+{
+ return !list_empty(&flow_block_indr_dev_list);
+}
+EXPORT_SYMBOL(flow_indr_dev_exists);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1a6a21bfb18d..51144fc66889 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2166,7 +2166,7 @@ static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
chain->flags |= NFT_CHAIN_BASE | flags;
basechain->policy = NF_ACCEPT;
if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
- nft_chain_offload_priority(basechain) < 0)
+ !nft_chain_offload_support(basechain))
return -EOPNOTSUPP;
flow_block_init(&basechain->flow_block);
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 2d36952b1392..910ef881c3b8 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -208,7 +208,7 @@ static int nft_setup_cb_call(enum tc_setup_type type, void *type_data,
return 0;
}
-int nft_chain_offload_priority(struct nft_base_chain *basechain)
+static int nft_chain_offload_priority(const struct nft_base_chain *basechain)
{
if (basechain->ops.priority <= 0 ||
basechain->ops.priority > USHRT_MAX)
@@ -217,6 +217,27 @@ int nft_chain_offload_priority(struct nft_base_chain *basechain)
return 0;
}
+bool nft_chain_offload_support(const struct nft_base_chain *basechain)
+{
+ struct net_device *dev;
+ struct nft_hook *hook;
+
+ if (nft_chain_offload_priority(basechain) < 0)
+ return false;
+
+ list_for_each_entry(hook, &basechain->hook_list, list) {
+ if (hook->ops.pf != NFPROTO_NETDEV ||
+ hook->ops.hooknum != NF_NETDEV_INGRESS)
+ return false;
+
+ dev = hook->ops.dev;
+ if (!dev->netdev_ops->ndo_setup_tc && !flow_indr_dev_exists())
+ return false;
+ }
+
+ return true;
+}
+
static void nft_flow_cls_offload_setup(struct flow_cls_offload *cls_flow,
const struct nft_base_chain *basechain,
const struct nft_rule *rule,
--
2.30.2
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH net 7/7] netfilter: nf_tables: bail out early if hardware offload is not supported
2022-06-06 21:20 ` [PATCH net 7/7] netfilter: nf_tables: bail out early if hardware offload is not supported Pablo Neira Ayuso
@ 2022-06-08 1:00 ` Jakub Kicinski
2022-06-08 6:03 ` Pablo Neira Ayuso
0 siblings, 1 reply; 20+ messages in thread
From: Jakub Kicinski @ 2022-06-08 1:00 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, pabeni, edumazet
On Mon, 6 Jun 2022 23:20:55 +0200 Pablo Neira Ayuso wrote:
> If user requests for NFT_CHAIN_HW_OFFLOAD, then check if either device
> provides the .ndo_setup_tc interface or there is an indirect flow block
> that has been registered. Otherwise, bail out early from the preparation
> phase. Moreover, validate that family == NFPROTO_NETDEV and hook is
> NF_NETDEV_INGRESS.
The whole series is pretty light on the "why". This patch is
particularly bad, no idea what the user visible bug was here.
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net 7/7] netfilter: nf_tables: bail out early if hardware offload is not supported
2022-06-08 1:00 ` Jakub Kicinski
@ 2022-06-08 6:03 ` Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-08 6:03 UTC (permalink / raw)
To: Jakub Kicinski; +Cc: netfilter-devel, davem, netdev, pabeni, edumazet
Hi Jakub,
On Tue, Jun 07, 2022 at 06:00:25PM -0700, Jakub Kicinski wrote:
> On Mon, 6 Jun 2022 23:20:55 +0200 Pablo Neira Ayuso wrote:
> > If user requests for NFT_CHAIN_HW_OFFLOAD, then check if either device
> > provides the .ndo_setup_tc interface or there is an indirect flow block
> > that has been registered. Otherwise, bail out early from the preparation
> > phase. Moreover, validate that family == NFPROTO_NETDEV and hook is
> > NF_NETDEV_INGRESS.
>
> The whole series is pretty light on the "why".
- [net,1/7] netfilter: nat: really support inet nat without l3 address
https://git.kernel.org/netdev/net/c/282e5f8fe907
This is a fix, otherwise NAT with the inet family (which allows both
IPv4 and IPv6 traffic) remains broken. It's a datapath fix, the
control plane was accepting the rule, however NAT was not applied if
user specified no layer 4 address, which might happen for, eg. redirect.
- [net,2/7] netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path
https://git.kernel.org/netdev/net/c/ab5e5c062f67
This is an incremental fix for f9a43007d3f7 ("netfilter: nf_tables:
double hook unregistration in netns path"), it is using kfree_rcu(ptr)
variant which works but it has some limitations. Use of free_rcu(ptr)
was not intentional, hence free_rcu(ptr, rcu)
- [net,3/7] netfilter: nf_tables: delete flowtable hooks via transaction list
https://git.kernel.org/netdev/net/c/b6d9014a3335
Deleting twice the same device on the flowtable might lead to ENOENT
since hook->inactive is not honored. Instead of honoring such flag,
this patch is fixing up this by using a flowtable hook list in the
transaction object to convey the hook that are going to be deleted
which looks cleaner to me.
- [net,4/7] netfilter: nf_tables: always initialize flowtable hook list in transaction
https://git.kernel.org/netdev/net/c/2c9e4559773c
This is a oneliner, not urgent but Florian already reported in the
past that the flowtable hook list in the transaction object was not
initialized (even if not used). This patch initializes it to
increase robustness, this list is going to be empty/unused for the
non-update path anyway. Arguably I could have postpone this
oneliner.
- [net,5/7] netfilter: nf_tables: release new hooks on unsupported flowtable flags
https://git.kernel.org/netdev/net/c/c271cc9febaa
This is a fix. nft_flowtable_parse_hook() populates the hook list,
but the flowtable flags update logic was not releasing these objects
from the error path, hence, leading to a memleak.
- [net,6/7] netfilter: nf_tables: memleak flow rule from commit path
https://git.kernel.org/netdev/net/c/9dd732e0bdf5
kmemleak reported this memleak while running a series of test with
nf_tables hardware offload support for these objects, this is a fix.
> This patch is particularly bad, no idea what the user visible bug
> was here.
Are you refering to this?
- [net,7/7] netfilter: nf_tables: bail out early if hardware offload is not supported
https://git.kernel.org/netdev/net/c/3a41c64d9c11
Arguably, I could have postponed this patch, but quite recently
there was a silly bug in the hardware offload infrastructure, see
b1a5983f56e3 ("netfilter: nf_tables_offload: incorrect flow offload
action array size. The reporter triggered the bug with the _loopback
interface_, he wondered why this infrastructure is exposed to all
devices while only a dozen of NICs support hardware offload, hence
this patch to disable hardware offload earlier in the control plane
path.
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/7] Netfilter fixes for net
@ 2024-04-11 11:28 Pablo Neira Ayuso
2024-04-11 11:39 ` Paolo Abeni
0 siblings, 1 reply; 20+ messages in thread
From: Pablo Neira Ayuso @ 2024-04-11 11:28 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw
Hi,
The following patchset contains Netfilter fixes for net:
Patches #1 and #2 add missing rcu read side lock when iterating over
expression and object type list which could race with module removal.
Patch #3 prevents promisc packet from visiting the bridge/input hook
to amend a recent fix to address conntrack confirmation race
in br_netfilter and nf_conntrack_bridge.
Patch #4 adds and uses iterate decorator type to fetch the current
pipapo set backend datastructure view when netlink dumps the
set elements.
Patch #5 fixes removal of duplicate elements in the pipapo set backend.
Patch #6 flowtable validates pppoe header before accessing it.
Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
fails and pppoe packets follow classic path.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
Thanks.
----------------------------------------------------------------
The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
----------------------------------------------------------------
netfilter pull request 24-04-11
----------------------------------------------------------------
Florian Westphal (1):
netfilter: nft_set_pipapo: do not free live element
Pablo Neira Ayuso (4):
netfilter: br_netfilter: skip conntrack input hook for promisc packets
netfilter: nft_set_pipapo: walk over current view on netlink dump
netfilter: flowtable: validate pppoe header
netfilter: flowtable: incorrect pppoe tuple
Ziyang Xuan (2):
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
include/net/netfilter/nf_flow_table.h | 12 +++++++++++-
include/net/netfilter/nf_tables.h | 14 ++++++++++++++
net/bridge/br_input.c | 15 +++++++++++----
net/bridge/br_netfilter_hooks.c | 6 ++++++
net/bridge/br_private.h | 1 +
net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
net/netfilter/nf_flow_table_inet.c | 3 ++-
net/netfilter/nf_flow_table_ip.c | 10 ++++++----
net/netfilter/nf_tables_api.c | 22 ++++++++++++++++++----
net/netfilter/nft_set_pipapo.c | 19 ++++++++++++-------
10 files changed, 91 insertions(+), 25 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net 0/7] Netfilter fixes for net
2024-04-11 11:28 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso
@ 2024-04-11 11:39 ` Paolo Abeni
2024-04-11 11:42 ` Pablo Neira Ayuso
0 siblings, 1 reply; 20+ messages in thread
From: Paolo Abeni @ 2024-04-11 11:39 UTC (permalink / raw)
To: Pablo Neira Ayuso, netfilter-devel; +Cc: davem, netdev, kuba, edumazet, fw
On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote:
> Hi,
>
> The following patchset contains Netfilter fixes for net:
>
> Patches #1 and #2 add missing rcu read side lock when iterating over
> expression and object type list which could race with module removal.
>
> Patch #3 prevents promisc packet from visiting the bridge/input hook
> to amend a recent fix to address conntrack confirmation race
> in br_netfilter and nf_conntrack_bridge.
>
> Patch #4 adds and uses iterate decorator type to fetch the current
> pipapo set backend datastructure view when netlink dumps the
> set elements.
>
> Patch #5 fixes removal of duplicate elements in the pipapo set backend.
>
> Patch #6 flowtable validates pppoe header before accessing it.
>
> Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
> fails and pppoe packets follow classic path.
>
> Please, pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
>
> Thanks.
>
> ----------------------------------------------------------------
>
> The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
>
> r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
>
> are available in the Git repository at:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
>
> for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
>
> netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
>
> ----------------------------------------------------------------
> netfilter pull request 24-04-11
>
> ----------------------------------------------------------------
> Florian Westphal (1):
> netfilter: nft_set_pipapo: do not free live element
>
> Pablo Neira Ayuso (4):
> netfilter: br_netfilter: skip conntrack input hook for promisc packets
> netfilter: nft_set_pipapo: walk over current view on netlink dump
> netfilter: flowtable: validate pppoe header
> netfilter: flowtable: incorrect pppoe tuple
>
> Ziyang Xuan (2):
> netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
> netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
>
> include/net/netfilter/nf_flow_table.h | 12 +++++++++++-
> include/net/netfilter/nf_tables.h | 14 ++++++++++++++
> net/bridge/br_input.c | 15 +++++++++++----
> net/bridge/br_netfilter_hooks.c | 6 ++++++
> net/bridge/br_private.h | 1 +
> net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
> net/netfilter/nf_flow_table_inet.c | 3 ++-
> net/netfilter/nf_flow_table_ip.c | 10 ++++++----
> net/netfilter/nf_tables_api.c | 22 ++++++++++++++++++----
> net/netfilter/nft_set_pipapo.c | 19 ++++++++++++-------
> 10 files changed, 91 insertions(+), 25 deletions(-)
Whoops, I'm finishing testing right now todays PR, I hope it's not a
big issue if this lands later?
Thanks,
Paolo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net 0/7] Netfilter fixes for net
2024-04-11 11:39 ` Paolo Abeni
@ 2024-04-11 11:42 ` Pablo Neira Ayuso
2024-04-11 11:58 ` Paolo Abeni
0 siblings, 1 reply; 20+ messages in thread
From: Pablo Neira Ayuso @ 2024-04-11 11:42 UTC (permalink / raw)
To: Paolo Abeni; +Cc: netfilter-devel, davem, netdev, kuba, edumazet, fw
On Thu, Apr 11, 2024 at 01:39:30PM +0200, Paolo Abeni wrote:
> On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote:
> > Hi,
> >
> > The following patchset contains Netfilter fixes for net:
> >
> > Patches #1 and #2 add missing rcu read side lock when iterating over
> > expression and object type list which could race with module removal.
> >
> > Patch #3 prevents promisc packet from visiting the bridge/input hook
> > to amend a recent fix to address conntrack confirmation race
> > in br_netfilter and nf_conntrack_bridge.
> >
> > Patch #4 adds and uses iterate decorator type to fetch the current
> > pipapo set backend datastructure view when netlink dumps the
> > set elements.
> >
> > Patch #5 fixes removal of duplicate elements in the pipapo set backend.
> >
> > Patch #6 flowtable validates pppoe header before accessing it.
> >
> > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
> > fails and pppoe packets follow classic path.
> >
> > Please, pull these changes from:
> >
> > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
> >
> > Thanks.
> >
> > ----------------------------------------------------------------
> >
> > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
> >
> > r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
> >
> > are available in the Git repository at:
> >
> > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
> >
> > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
> >
> > netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
> >
> > ----------------------------------------------------------------
> > netfilter pull request 24-04-11
> >
> > ----------------------------------------------------------------
> > Florian Westphal (1):
> > netfilter: nft_set_pipapo: do not free live element
> >
> > Pablo Neira Ayuso (4):
> > netfilter: br_netfilter: skip conntrack input hook for promisc packets
> > netfilter: nft_set_pipapo: walk over current view on netlink dump
> > netfilter: flowtable: validate pppoe header
> > netfilter: flowtable: incorrect pppoe tuple
> >
> > Ziyang Xuan (2):
> > netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
> > netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> >
> > include/net/netfilter/nf_flow_table.h | 12 +++++++++++-
> > include/net/netfilter/nf_tables.h | 14 ++++++++++++++
> > net/bridge/br_input.c | 15 +++++++++++----
> > net/bridge/br_netfilter_hooks.c | 6 ++++++
> > net/bridge/br_private.h | 1 +
> > net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
> > net/netfilter/nf_flow_table_inet.c | 3 ++-
> > net/netfilter/nf_flow_table_ip.c | 10 ++++++----
> > net/netfilter/nf_tables_api.c | 22 ++++++++++++++++++----
> > net/netfilter/nft_set_pipapo.c | 19 ++++++++++++-------
> > 10 files changed, 91 insertions(+), 25 deletions(-)
>
> Whoops, I'm finishing testing right now todays PR, I hope it's not a
> big issue if this lands later?
Apologies, I am working at full steam here, I could not deliver any sooner.
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net 0/7] Netfilter fixes for net
2024-04-11 11:42 ` Pablo Neira Ayuso
@ 2024-04-11 11:58 ` Paolo Abeni
2024-04-11 15:30 ` Pablo Neira Ayuso
0 siblings, 1 reply; 20+ messages in thread
From: Paolo Abeni @ 2024-04-11 11:58 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba, edumazet, fw
On Thu, 2024-04-11 at 13:42 +0200, Pablo Neira Ayuso wrote:
> On Thu, Apr 11, 2024 at 01:39:30PM +0200, Paolo Abeni wrote:
> > On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote:
> > > Hi,
> > >
> > > The following patchset contains Netfilter fixes for net:
> > >
> > > Patches #1 and #2 add missing rcu read side lock when iterating over
> > > expression and object type list which could race with module removal.
> > >
> > > Patch #3 prevents promisc packet from visiting the bridge/input hook
> > > to amend a recent fix to address conntrack confirmation race
> > > in br_netfilter and nf_conntrack_bridge.
> > >
> > > Patch #4 adds and uses iterate decorator type to fetch the current
> > > pipapo set backend datastructure view when netlink dumps the
> > > set elements.
> > >
> > > Patch #5 fixes removal of duplicate elements in the pipapo set backend.
> > >
> > > Patch #6 flowtable validates pppoe header before accessing it.
> > >
> > > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
> > > fails and pppoe packets follow classic path.
> > >
> > > Please, pull these changes from:
> > >
> > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
> > >
> > > Thanks.
> > >
> > > ----------------------------------------------------------------
> > >
> > > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
> > >
> > > r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
> > >
> > > are available in the Git repository at:
> > >
> > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
> > >
> > > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
> > >
> > > netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
> > >
> > > ----------------------------------------------------------------
> > > netfilter pull request 24-04-11
> > >
> > > ----------------------------------------------------------------
> > > Florian Westphal (1):
> > > netfilter: nft_set_pipapo: do not free live element
> > >
> > > Pablo Neira Ayuso (4):
> > > netfilter: br_netfilter: skip conntrack input hook for promisc packets
> > > netfilter: nft_set_pipapo: walk over current view on netlink dump
> > > netfilter: flowtable: validate pppoe header
> > > netfilter: flowtable: incorrect pppoe tuple
> > >
> > > Ziyang Xuan (2):
> > > netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
> > > netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> > >
> > > include/net/netfilter/nf_flow_table.h | 12 +++++++++++-
> > > include/net/netfilter/nf_tables.h | 14 ++++++++++++++
> > > net/bridge/br_input.c | 15 +++++++++++----
> > > net/bridge/br_netfilter_hooks.c | 6 ++++++
> > > net/bridge/br_private.h | 1 +
> > > net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
> > > net/netfilter/nf_flow_table_inet.c | 3 ++-
> > > net/netfilter/nf_flow_table_ip.c | 10 ++++++----
> > > net/netfilter/nf_tables_api.c | 22 ++++++++++++++++++----
> > > net/netfilter/nft_set_pipapo.c | 19 ++++++++++++-------
> > > 10 files changed, 91 insertions(+), 25 deletions(-)
> >
> > Whoops, I'm finishing testing right now todays PR, I hope it's not a
> > big issue if this lands later?
>
> Apologies, I am working at full steam here, I could not deliver any sooner.
I'm sorry, I was likely unclear, the above was just a question (not a
complain): do you have strong preference for these fixes to land into
today's PR? (the answer is unclear to me)
Thanks!
Paolo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net 0/7] Netfilter fixes for net
2024-04-11 11:58 ` Paolo Abeni
@ 2024-04-11 15:30 ` Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2024-04-11 15:30 UTC (permalink / raw)
To: Paolo Abeni; +Cc: netfilter-devel, davem, netdev, kuba, edumazet, fw
On Thu, Apr 11, 2024 at 01:58:37PM +0200, Paolo Abeni wrote:
> On Thu, 2024-04-11 at 13:42 +0200, Pablo Neira Ayuso wrote:
> > On Thu, Apr 11, 2024 at 01:39:30PM +0200, Paolo Abeni wrote:
> > > On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote:
> > > > Hi,
> > > >
> > > > The following patchset contains Netfilter fixes for net:
> > > >
> > > > Patches #1 and #2 add missing rcu read side lock when iterating over
> > > > expression and object type list which could race with module removal.
> > > >
> > > > Patch #3 prevents promisc packet from visiting the bridge/input hook
> > > > to amend a recent fix to address conntrack confirmation race
> > > > in br_netfilter and nf_conntrack_bridge.
> > > >
> > > > Patch #4 adds and uses iterate decorator type to fetch the current
> > > > pipapo set backend datastructure view when netlink dumps the
> > > > set elements.
> > > >
> > > > Patch #5 fixes removal of duplicate elements in the pipapo set backend.
> > > >
> > > > Patch #6 flowtable validates pppoe header before accessing it.
> > > >
> > > > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
> > > > fails and pppoe packets follow classic path.
> > > >
> > > > Please, pull these changes from:
> > > >
> > > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
> > > >
> > > > Thanks.
> > > >
> > > > ----------------------------------------------------------------
> > > >
> > > > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
> > > >
> > > > r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
> > > >
> > > > are available in the Git repository at:
> > > >
> > > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
> > > >
> > > > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
> > > >
> > > > netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
> > > >
> > > > ----------------------------------------------------------------
> > > > netfilter pull request 24-04-11
> > > >
> > > > ----------------------------------------------------------------
> > > > Florian Westphal (1):
> > > > netfilter: nft_set_pipapo: do not free live element
> > > >
> > > > Pablo Neira Ayuso (4):
> > > > netfilter: br_netfilter: skip conntrack input hook for promisc packets
> > > > netfilter: nft_set_pipapo: walk over current view on netlink dump
> > > > netfilter: flowtable: validate pppoe header
> > > > netfilter: flowtable: incorrect pppoe tuple
> > > >
> > > > Ziyang Xuan (2):
> > > > netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
> > > > netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> > > >
> > > > include/net/netfilter/nf_flow_table.h | 12 +++++++++++-
> > > > include/net/netfilter/nf_tables.h | 14 ++++++++++++++
> > > > net/bridge/br_input.c | 15 +++++++++++----
> > > > net/bridge/br_netfilter_hooks.c | 6 ++++++
> > > > net/bridge/br_private.h | 1 +
> > > > net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
> > > > net/netfilter/nf_flow_table_inet.c | 3 ++-
> > > > net/netfilter/nf_flow_table_ip.c | 10 ++++++----
> > > > net/netfilter/nf_tables_api.c | 22 ++++++++++++++++++----
> > > > net/netfilter/nft_set_pipapo.c | 19 ++++++++++++-------
> > > > 10 files changed, 91 insertions(+), 25 deletions(-)
> > >
> > > Whoops, I'm finishing testing right now todays PR, I hope it's not a
> > > big issue if this lands later?
> >
> > Apologies, I am working at full steam here, I could not deliver any sooner.
>
> I'm sorry, I was likely unclear, the above was just a question (not a
> complain): do you have strong preference for these fixes to land into
> today's PR? (the answer is unclear to me)
No problem Paolo, I can miss this flight, it is OK.
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/7] Netfilter fixes for net
@ 2023-01-02 16:40 Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2023-01-02 16:40 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
1) Use signed integer in ipv6_skip_exthdr() called from nf_confirm().
Reported by static analysis tooling, patch from Florian Westphal.
2) Missing set type checks in nf_tables: Validate that set declaration
matches the an existing set type, otherwise bail out with EEXIST.
Currently, nf_tables silently accepts the re-declaration with a
different type but it bails out later with EINVAL when the user adds
entries to the set. This fix is relatively large because it requires
two preparation patches that are included in this batch.
3) Do not ignore updates of timeout and gc_interval parameters in
existing sets.
4) Fix a hang when 0/0 subnets is added to a hash:net,port,net type of
ipset. Except hash:net,port,net and hash:net,iface, the set types don't
support 0/0 and the auxiliary functions rely on this fact. So 0/0 needs
a special handling in hash:net,port,net which was missing (hash:net,iface
was not affected by this bug), from Jozsef Kadlecsik.
5) When adding/deleting large number of elements in one step in ipset,
it can take a reasonable amount of time and can result in soft lockup
errors. This patch is a complete rework of the previous version in order
to use a smaller internal batch limit and at the same time removing
the external hard limit to add arbitrary number of elements in one step.
Also from Jozsef Kadlecsik.
Except for patch #1, which fixes a bug introduced in the previous net-next
development cycle, anything else has been broken for several releases.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 19e72b064fc32cd58f6fc0b1eb64ac2e4f770e76:
net: fec: check the return value of build_skb() (2022-12-20 11:33:24 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to 5e29dc36bd5e2166b834ceb19990d9e68a734d7d:
netfilter: ipset: Rework long task execution when adding/deleting entries (2023-01-02 15:10:05 +0100)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: conntrack: fix ipv6 exthdr error check
Jozsef Kadlecsik (2):
netfilter: ipset: fix hash:net,port,net hang with /0 subnet
netfilter: ipset: Rework long task execution when adding/deleting entries
Pablo Neira Ayuso (4):
netfilter: nf_tables: consolidate set description
netfilter: nf_tables: add function to create set stateful expressions
netfilter: nf_tables: perform type checking for existing sets
netfilter: nf_tables: honor set timeout and garbage collection updates
include/linux/netfilter/ipset/ip_set.h | 2 +-
include/net/netfilter/nf_tables.h | 25 ++-
net/netfilter/ipset/ip_set_core.c | 7 +-
net/netfilter/ipset/ip_set_hash_ip.c | 14 +-
net/netfilter/ipset/ip_set_hash_ipmark.c | 13 +-
net/netfilter/ipset/ip_set_hash_ipport.c | 13 +-
net/netfilter/ipset/ip_set_hash_ipportip.c | 13 +-
net/netfilter/ipset/ip_set_hash_ipportnet.c | 13 +-
net/netfilter/ipset/ip_set_hash_net.c | 17 +-
net/netfilter/ipset/ip_set_hash_netiface.c | 15 +-
net/netfilter/ipset/ip_set_hash_netnet.c | 23 +--
net/netfilter/ipset/ip_set_hash_netport.c | 19 +-
net/netfilter/ipset/ip_set_hash_netportnet.c | 40 ++--
net/netfilter/nf_conntrack_proto.c | 7 +-
net/netfilter/nf_tables_api.c | 261 ++++++++++++++++++---------
15 files changed, 293 insertions(+), 189 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/7] Netfilter fixes for net
@ 2022-05-18 21:38 Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-05-18 21:38 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni
Hi,
This patchset contains Netfilter fixes for net:
1) Reduce number of hardware offload retries from flowtable datapath
which might hog system with retries, from Felix Fietkau.
2) Skip neighbour lookup for PPPoE device, fill_forward_path() already
provides this and set on destination address from fill_forward_path for
PPPoE device, also from Felix.
4) When combining PPPoE on top of a VLAN device, set info->outdev to the
PPPoE device so software offload works, from Felix.
5) Fix TCP teardown flowtable state, races with conntrack gc might result
in resetting the state to ESTABLISHED and the time to one day. Joint
work with Oz Shlomo and Sven Auhagen.
6) Call dst_check() from flowtable datapath to check if dst is stale
instead of doing it from garbage collector path.
7) Disable register tracking infrastructure, either user-space or
kernel need to pre-fetch keys inconditionally, otherwise register
tracking assumes data is already available in register that might
not well be there, leading to incorrect reductions.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit f3f19f939c11925dadd3f4776f99f8c278a7017b:
Merge tag 'net-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net (2022-05-12 11:51:45 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to 9e539c5b6d9c5b996e45105921ee9dd955c0f535:
netfilter: nf_tables: disable expression reduction infra (2022-05-18 17:34:26 +0200)
----------------------------------------------------------------
Felix Fietkau (4):
netfilter: flowtable: fix excessive hw offload attempts after failure
netfilter: nft_flow_offload: skip dst neigh lookup for ppp devices
net: fix dev_fill_forward_path with pppoe + bridge
netfilter: nft_flow_offload: fix offload with pppoe + vlan
Pablo Neira Ayuso (2):
netfilter: flowtable: fix TCP flow teardown
netfilter: nf_tables: disable expression reduction infra
Ritaro Takenaka (1):
netfilter: flowtable: move dst_check to packet path
drivers/net/ppp/pppoe.c | 1 +
include/linux/netdevice.h | 2 +-
net/core/dev.c | 2 +-
net/netfilter/nf_flow_table_core.c | 60 +++++++-------------------------------
net/netfilter/nf_flow_table_ip.c | 19 ++++++++++++
net/netfilter/nf_tables_api.c | 11 +------
net/netfilter/nft_flow_offload.c | 28 +++++++++++-------
7 files changed, 51 insertions(+), 72 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/7] Netfilter fixes for net
@ 2021-12-09 0:08 Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2021-12-09 0:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Fix bogus compilter warning in nfnetlink_queue, from Florian Westphal.
2) Don't run conntrack on vrf with !dflt qdisc, from Nicolas Dichtel.
3) Fix nft_pipapo bucket load in AVX2 lookup routine for six 8-bit
groups, from Stefano Brivio.
4) Break rule evaluation on malformed TCP options.
5) Use socat instead of nc in selftests/netfilter/nft_zones_many.sh,
also from Florian
6) Fix KCSAN data-race in conntrack timeout updates, from Eric Dumazet.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 34d8778a943761121f391b7921f79a7adbe1feaf:
MAINTAINERS: s390/net: add Alexandra and Wenjia as maintainer (2021-11-30 12:20:07 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 802a7dc5cf1bef06f7b290ce76d478138408d6b1:
netfilter: conntrack: annotate data-races around ct->timeout (2021-12-08 01:29:15 +0100)
----------------------------------------------------------------
Eric Dumazet (1):
netfilter: conntrack: annotate data-races around ct->timeout
Florian Westphal (2):
netfilter: nfnetlink_queue: silence bogus compiler warning
selftests: netfilter: switch zone stress to socat
Nicolas Dichtel (1):
vrf: don't run conntrack on vrf with !dflt qdisc
Pablo Neira Ayuso (1):
netfilter: nft_exthdr: break evaluation if setting TCP option fails
Stefano Brivio (2):
nft_set_pipapo: Fix bucket load in AVX2 lookup routine for six 8-bit groups
selftests: netfilter: Add correctness test for mac,net set type
drivers/net/vrf.c | 8 +++---
include/net/netfilter/nf_conntrack.h | 6 ++---
net/netfilter/nf_conntrack_core.c | 6 ++---
net/netfilter/nf_conntrack_netlink.c | 2 +-
net/netfilter/nf_flow_table_core.c | 4 +--
net/netfilter/nfnetlink_queue.c | 2 +-
net/netfilter/nft_exthdr.c | 11 +++++---
net/netfilter/nft_set_pipapo_avx2.c | 2 +-
tools/testing/selftests/netfilter/conntrack_vrf.sh | 30 +++++++++++++++++++---
.../selftests/netfilter/nft_concat_range.sh | 24 ++++++++++++++---
.../testing/selftests/netfilter/nft_zones_many.sh | 19 +++++++++-----
11 files changed, 82 insertions(+), 32 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/7] Netfilter fixes for net
@ 2021-04-12 22:30 Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2021-04-12 22:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Fix NAT IPv6 offload in the flowtable.
2) icmpv6 is printed as unknown in /proc/net/nf_conntrack.
3) Use div64_u64() in nft_limit, from Eric Dumazet.
4) Use pre_exit to unregister ebtables and arptables hooks,
from Florian Westphal.
5) Fix out-of-bound memset in x_tables compat match/target,
also from Florian.
6) Clone set elements expression to ensure proper initialization.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 9adc89af724f12a03b47099cd943ed54e877cd59:
net: let skb_orphan_partial wake-up waiters. (2021-03-30 13:57:28 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 4d8f9065830e526c83199186c5f56a6514f457d2:
netfilter: nftables: clone set element expression template (2021-04-13 00:19:05 +0200)
----------------------------------------------------------------
Eric Dumazet (1):
netfilter: nft_limit: avoid possible divide error in nft_limit_init
Florian Westphal (3):
netfilter: bridge: add pre_exit hooks for ebtable unregistration
netfilter: arp_tables: add pre_exit hook for table unregister
netfilter: x_tables: fix compat match/target pad out-of-bound write
Pablo Neira Ayuso (3):
netfilter: flowtable: fix NAT IPv6 offload mangling
netfilter: conntrack: do not print icmpv6 as unknown via /proc
netfilter: nftables: clone set element expression template
include/linux/netfilter_arp/arp_tables.h | 5 ++--
include/linux/netfilter_bridge/ebtables.h | 5 ++--
net/bridge/netfilter/ebtable_broute.c | 8 +++++-
net/bridge/netfilter/ebtable_filter.c | 8 +++++-
net/bridge/netfilter/ebtable_nat.c | 8 +++++-
net/bridge/netfilter/ebtables.c | 30 ++++++++++++++++++--
net/ipv4/netfilter/arp_tables.c | 11 ++++++--
net/ipv4/netfilter/arptable_filter.c | 10 ++++++-
net/ipv4/netfilter/ip_tables.c | 2 ++
net/ipv6/netfilter/ip6_tables.c | 2 ++
net/netfilter/nf_conntrack_standalone.c | 1 +
net/netfilter/nf_flow_table_offload.c | 6 ++--
net/netfilter/nf_tables_api.c | 46 +++++++++++++++++++++++--------
net/netfilter/nft_limit.c | 4 +--
net/netfilter/x_tables.c | 10 ++-----
15 files changed, 118 insertions(+), 38 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2024-04-11 15:30 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-06 21:20 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 1/7] netfilter: nat: really support inet nat without l3 address Pablo Neira Ayuso
2022-06-08 1:20 ` patchwork-bot+netdevbpf
2022-06-06 21:20 ` [PATCH net 2/7] netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 3/7] netfilter: nf_tables: delete flowtable hooks via transaction list Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 4/7] netfilter: nf_tables: always initialize flowtable hook list in transaction Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 5/7] netfilter: nf_tables: release new hooks on unsupported flowtable flags Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 6/7] netfilter: nf_tables: memleak flow rule from commit path Pablo Neira Ayuso
2022-06-06 21:20 ` [PATCH net 7/7] netfilter: nf_tables: bail out early if hardware offload is not supported Pablo Neira Ayuso
2022-06-08 1:00 ` Jakub Kicinski
2022-06-08 6:03 ` Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2024-04-11 11:28 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso
2024-04-11 11:39 ` Paolo Abeni
2024-04-11 11:42 ` Pablo Neira Ayuso
2024-04-11 11:58 ` Paolo Abeni
2024-04-11 15:30 ` Pablo Neira Ayuso
2023-01-02 16:40 Pablo Neira Ayuso
2022-05-18 21:38 Pablo Neira Ayuso
2021-12-09 0:08 Pablo Neira Ayuso
2021-04-12 22:30 Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).