* [PATCH net 0/3] Netfilter fixes for net
@ 2023-03-01 22:20 Pablo Neira Ayuso
2023-03-01 22:20 ` [PATCH net 1/3] selftests: nft_nat: ensuring the listening side is up before starting the client Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2023-03-01 22:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
1) Fix bogus error report in selftests/netfilter/nft_nat.sh,
from Hangbin Liu.
2) Initialize last and quota expressions from template when
expr_ops::clone is called, otherwise, states are not restored
accordingly when loading a dynamic set with elements using
these two expressions.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 8f9850dd8d23c1290cb642ce9548a440da5771ec:
net: phy: unlock on error in phy_probe() (2023-02-28 12:40:12 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to aabef97a35160461e9c576848ded737558d89055:
netfilter: nft_quota: copy content when cloning expression (2023-03-01 17:23:23 +0100)
----------------------------------------------------------------
Hangbin Liu (1):
selftests: nft_nat: ensuring the listening side is up before starting the client
Pablo Neira Ayuso (2):
netfilter: nft_last: copy content when cloning expression
netfilter: nft_quota: copy content when cloning expression
net/netfilter/nft_last.c | 4 ++++
net/netfilter/nft_quota.c | 6 +++++-
tools/testing/selftests/netfilter/nft_nat.sh | 2 ++
3 files changed, 11 insertions(+), 1 deletion(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net 1/3] selftests: nft_nat: ensuring the listening side is up before starting the client
2023-03-01 22:20 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
@ 2023-03-01 22:20 ` Pablo Neira Ayuso
2023-03-02 10:40 ` patchwork-bot+netdevbpf
2023-03-01 22:20 ` [PATCH net 2/3] netfilter: nft_last: copy content when cloning expression Pablo Neira Ayuso
2023-03-01 22:20 ` [PATCH net 3/3] netfilter: nft_quota: " Pablo Neira Ayuso
2 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2023-03-01 22:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Hangbin Liu <liuhangbin@gmail.com>
The test_local_dnat_portonly() function initiates the client-side as
soon as it sets the listening side to the background. This could lead to
a race condition where the server may not be ready to listen. To ensure
that the server-side is up and running before initiating the
client-side, a delay is introduced to the test_local_dnat_portonly()
function.
Before the fix:
# ./nft_nat.sh
PASS: netns routing/connectivity: ns0-rthlYrBU can reach ns1-rthlYrBU and ns2-rthlYrBU
PASS: ping to ns1-rthlYrBU was ip NATted to ns2-rthlYrBU
PASS: ping to ns1-rthlYrBU OK after ip nat output chain flush
PASS: ipv6 ping to ns1-rthlYrBU was ip6 NATted to ns2-rthlYrBU
2023/02/27 04:11:03 socat[6055] E connect(5, AF=2 10.0.1.99:2000, 16): Connection refused
ERROR: inet port rewrite
After the fix:
# ./nft_nat.sh
PASS: netns routing/connectivity: ns0-9sPJV6JJ can reach ns1-9sPJV6JJ and ns2-9sPJV6JJ
PASS: ping to ns1-9sPJV6JJ was ip NATted to ns2-9sPJV6JJ
PASS: ping to ns1-9sPJV6JJ OK after ip nat output chain flush
PASS: ipv6 ping to ns1-9sPJV6JJ was ip6 NATted to ns2-9sPJV6JJ
PASS: inet port rewrite without l3 address
Fixes: 282e5f8fe907 ("netfilter: nat: really support inet nat without l3 address")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tools/testing/selftests/netfilter/nft_nat.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh
index 924ecb3f1f73..dd40d9f6f259 100755
--- a/tools/testing/selftests/netfilter/nft_nat.sh
+++ b/tools/testing/selftests/netfilter/nft_nat.sh
@@ -404,6 +404,8 @@ EOF
echo SERVER-$family | ip netns exec "$ns1" timeout 5 socat -u STDIN TCP-LISTEN:2000 &
sc_s=$!
+ sleep 1
+
result=$(ip netns exec "$ns0" timeout 1 socat TCP:$daddr:2000 STDOUT)
if [ "$result" = "SERVER-inet" ];then
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 2/3] netfilter: nft_last: copy content when cloning expression
2023-03-01 22:20 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2023-03-01 22:20 ` [PATCH net 1/3] selftests: nft_nat: ensuring the listening side is up before starting the client Pablo Neira Ayuso
@ 2023-03-01 22:20 ` Pablo Neira Ayuso
2023-03-01 22:20 ` [PATCH net 3/3] netfilter: nft_quota: " Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2023-03-01 22:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
If the ruleset contains last timestamps, restore them accordingly.
Otherwise, listing after restoration shows never used items.
Fixes: 33a24de37e81 ("netfilter: nft_last: move stateful fields out of expression data")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_last.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nft_last.c b/net/netfilter/nft_last.c
index 7f2bda6641bd..8e6d7eaf9dc8 100644
--- a/net/netfilter/nft_last.c
+++ b/net/netfilter/nft_last.c
@@ -105,11 +105,15 @@ static void nft_last_destroy(const struct nft_ctx *ctx,
static int nft_last_clone(struct nft_expr *dst, const struct nft_expr *src)
{
struct nft_last_priv *priv_dst = nft_expr_priv(dst);
+ struct nft_last_priv *priv_src = nft_expr_priv(src);
priv_dst->last = kzalloc(sizeof(*priv_dst->last), GFP_ATOMIC);
if (!priv_dst->last)
return -ENOMEM;
+ priv_dst->last->set = priv_src->last->set;
+ priv_dst->last->jiffies = priv_src->last->jiffies;
+
return 0;
}
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 3/3] netfilter: nft_quota: copy content when cloning expression
2023-03-01 22:20 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2023-03-01 22:20 ` [PATCH net 1/3] selftests: nft_nat: ensuring the listening side is up before starting the client Pablo Neira Ayuso
2023-03-01 22:20 ` [PATCH net 2/3] netfilter: nft_last: copy content when cloning expression Pablo Neira Ayuso
@ 2023-03-01 22:20 ` Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2023-03-01 22:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
If the ruleset contains consumed quota, restore them accordingly.
Otherwise, listing after restoration shows never used items.
Restore the user-defined quota and flags too.
Fixes: ed0a0c60f0e5 ("netfilter: nft_quota: move stateful fields out of expression data")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_quota.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c
index 123578e28917..3ba12a7471b0 100644
--- a/net/netfilter/nft_quota.c
+++ b/net/netfilter/nft_quota.c
@@ -236,12 +236,16 @@ static void nft_quota_destroy(const struct nft_ctx *ctx,
static int nft_quota_clone(struct nft_expr *dst, const struct nft_expr *src)
{
struct nft_quota *priv_dst = nft_expr_priv(dst);
+ struct nft_quota *priv_src = nft_expr_priv(src);
+
+ priv_dst->quota = priv_src->quota;
+ priv_dst->flags = priv_src->flags;
priv_dst->consumed = kmalloc(sizeof(*priv_dst->consumed), GFP_ATOMIC);
if (!priv_dst->consumed)
return -ENOMEM;
- atomic64_set(priv_dst->consumed, 0);
+ *priv_dst->consumed = *priv_src->consumed;
return 0;
}
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net 1/3] selftests: nft_nat: ensuring the listening side is up before starting the client
2023-03-01 22:20 ` [PATCH net 1/3] selftests: nft_nat: ensuring the listening side is up before starting the client Pablo Neira Ayuso
@ 2023-03-02 10:40 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-03-02 10:40 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba, pabeni, edumazet
Hello:
This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:
On Wed, 1 Mar 2023 23:20:19 +0100 you wrote:
> From: Hangbin Liu <liuhangbin@gmail.com>
>
> The test_local_dnat_portonly() function initiates the client-side as
> soon as it sets the listening side to the background. This could lead to
> a race condition where the server may not be ready to listen. To ensure
> that the server-side is up and running before initiating the
> client-side, a delay is introduced to the test_local_dnat_portonly()
> function.
>
> [...]
Here is the summary with links:
- [net,1/3] selftests: nft_nat: ensuring the listening side is up before starting the client
https://git.kernel.org/netdev/net/c/2067e7a00aa6
- [net,2/3] netfilter: nft_last: copy content when cloning expression
https://git.kernel.org/netdev/net/c/860e874290fb
- [net,3/3] netfilter: nft_quota: copy content when cloning expression
https://git.kernel.org/netdev/net/c/aabef97a3516
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-03-02 10:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-01 22:20 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2023-03-01 22:20 ` [PATCH net 1/3] selftests: nft_nat: ensuring the listening side is up before starting the client Pablo Neira Ayuso
2023-03-02 10:40 ` patchwork-bot+netdevbpf
2023-03-01 22:20 ` [PATCH net 2/3] netfilter: nft_last: copy content when cloning expression Pablo Neira Ayuso
2023-03-01 22:20 ` [PATCH net 3/3] netfilter: nft_quota: " Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).