From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nf 0/5] netfilter: conntrack: make zone id part of conntrack hash
Date: Wed, 8 Sep 2021 14:28:33 +0200 [thread overview]
Message-ID: <20210908122839.7526-1-fw@strlen.de> (raw)
This patch set makes the zone id part of the conntrack hash again.
First patch is a followup to
d7e7747ac5c2496c9,
"netfilter: refuse insertion if chain has grown too large".
Instead of a fixed-size limit, allow for some slack in the drop
limit. This makes it harder to extract information about hash
table collisions/bucket overflows.
Second patch makes the zone id part of the tuple hash again.
This was removed six years ago to allow split-zone support.
Last two patches add test cases for zone support with colliding
tuples. First test case emulates split zones, where NAT is responsible
to expose the overlapping networks and provide unique source ports via
nat port translation.
Second test case exercises overlapping tuples in distinct zones.
Expectation is that all connection succeed (first self test) and
that all insertions work (second self test).
Florian Westphal (5):
netfilter: conntrack: make connection tracking table less predictable
netfilter: conntrack: include zone id in tuple hash again
netfilter: nat: include zone id in nat table hash again
selftests: netfilter: add selftest for directional zone support
selftests: netfilter: add zone stress test with colliding tuples
net/netfilter/nf_conntrack_core.c | 84 +++--
net/netfilter/nf_nat_core.c | 17 +-
.../selftests/netfilter/nft_nat_zones.sh | 309 ++++++++++++++++++
.../selftests/netfilter/nft_zones_many.sh | 156 +++++++++
4 files changed, 540 insertions(+), 26 deletions(-)
create mode 100755 tools/testing/selftests/netfilter/nft_nat_zones.sh
create mode 100755 tools/testing/selftests/netfilter/nft_zones_many.sh
--
2.32.0
next reply other threads:[~2021-09-08 12:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-08 12:28 Florian Westphal [this message]
2021-09-08 12:28 ` [PATCH nf 1/5] netfilter: conntrack: make connection tracking table less predictable Florian Westphal
2021-09-08 12:28 ` [PATCH nf 1/5] netfilter: conntrack: make max chain length random Florian Westphal
2021-09-08 12:28 ` [PATCH nf 2/5] netfilter: conntrack: include zone id in tuple hash again Florian Westphal
2021-09-08 12:28 ` [PATCH nf 3/5] netfilter: nat: include zone id in nat table " Florian Westphal
2021-09-08 12:28 ` [PATCH nf 4/5] selftests: netfilter: add selftest for directional zone support Florian Westphal
2021-09-08 12:28 ` [PATCH nf 5/5] selftests: netfilter: add zone stress test with colliding tuples Florian Westphal
2021-09-21 1:47 ` [PATCH nf 0/5] netfilter: conntrack: make zone id part of conntrack hash Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210908122839.7526-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).