Commit 1127c73a authored by Paolo Abeni's avatar Paolo Abeni

Merge tag 'nf-24-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Fix incorrect documentation in uapi/linux/netfilter/nf_tables.h
   regarding flowtable hooks, from Phil Sutter.

2) Fix nft_audit.sh selftests with newer nft binaries, due to different
   (valid) audit output, also from Phil.

3) Disable BH when duplicating packets via nf_dup infrastructure,
   otherwise race on nf_skb_duplicated for locally generated traffic.
   From Eric.

4) Missing return in callback of selftest C program, from zhang jiao.

netfilter pull request 24-10-02

* tag 'nf-24-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  selftests: netfilter: Add missing return value
  netfilter: nf_tables: prevent nf_skb_duplicated corruption
  selftests: netfilter: Fix nft_audit.sh for newer nft binaries
  netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED
====================

Link: https://patch.msgid.link/20241002202421.1281311-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents a0ffa68c 10dbd236
...@@ -1694,7 +1694,7 @@ enum nft_flowtable_flags { ...@@ -1694,7 +1694,7 @@ enum nft_flowtable_flags {
* *
* @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING) * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING)
* @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING) * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
* @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32) * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED)
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32) * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64) * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
* @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32) * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
......
...@@ -53,8 +53,9 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, ...@@ -53,8 +53,9 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
{ {
struct iphdr *iph; struct iphdr *iph;
local_bh_disable();
if (this_cpu_read(nf_skb_duplicated)) if (this_cpu_read(nf_skb_duplicated))
return; goto out;
/* /*
* Copy the skb, and route the copy. Will later return %XT_CONTINUE for * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
* the original skb, which should continue on its way as if nothing has * the original skb, which should continue on its way as if nothing has
...@@ -62,7 +63,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, ...@@ -62,7 +63,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
*/ */
skb = pskb_copy(skb, GFP_ATOMIC); skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL) if (skb == NULL)
return; goto out;
#if IS_ENABLED(CONFIG_NF_CONNTRACK) #if IS_ENABLED(CONFIG_NF_CONNTRACK)
/* Avoid counting cloned packets towards the original connection. */ /* Avoid counting cloned packets towards the original connection. */
...@@ -91,6 +92,8 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, ...@@ -91,6 +92,8 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
} else { } else {
kfree_skb(skb); kfree_skb(skb);
} }
out:
local_bh_enable();
} }
EXPORT_SYMBOL_GPL(nf_dup_ipv4); EXPORT_SYMBOL_GPL(nf_dup_ipv4);
......
...@@ -47,11 +47,12 @@ static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb, ...@@ -47,11 +47,12 @@ static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb,
void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
const struct in6_addr *gw, int oif) const struct in6_addr *gw, int oif)
{ {
local_bh_disable();
if (this_cpu_read(nf_skb_duplicated)) if (this_cpu_read(nf_skb_duplicated))
return; goto out;
skb = pskb_copy(skb, GFP_ATOMIC); skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL) if (skb == NULL)
return; goto out;
#if IS_ENABLED(CONFIG_NF_CONNTRACK) #if IS_ENABLED(CONFIG_NF_CONNTRACK)
nf_reset_ct(skb); nf_reset_ct(skb);
...@@ -69,6 +70,8 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, ...@@ -69,6 +70,8 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
} else { } else {
kfree_skb(skb); kfree_skb(skb);
} }
out:
local_bh_enable();
} }
EXPORT_SYMBOL_GPL(nf_dup_ipv6); EXPORT_SYMBOL_GPL(nf_dup_ipv6);
......
...@@ -207,6 +207,7 @@ static int conntrack_data_generate_v6(struct mnl_socket *sock, ...@@ -207,6 +207,7 @@ static int conntrack_data_generate_v6(struct mnl_socket *sock,
static int count_entries(const struct nlmsghdr *nlh, void *data) static int count_entries(const struct nlmsghdr *nlh, void *data)
{ {
reply_counter++; reply_counter++;
return MNL_CB_OK;
} }
static int conntracK_count_zone(struct mnl_socket *sock, uint16_t zone) static int conntracK_count_zone(struct mnl_socket *sock, uint16_t zone)
......
...@@ -48,12 +48,31 @@ logread_pid=$! ...@@ -48,12 +48,31 @@ logread_pid=$!
trap 'kill $logread_pid; rm -f $logfile $rulefile' EXIT trap 'kill $logread_pid; rm -f $logfile $rulefile' EXIT
exec 3<"$logfile" exec 3<"$logfile"
lsplit='s/^\(.*\) entries=\([^ ]*\) \(.*\)$/pfx="\1"\nval="\2"\nsfx="\3"/'
summarize_logs() {
sum=0
while read line; do
eval $(sed "$lsplit" <<< "$line")
[[ $sum -gt 0 ]] && {
[[ "$pfx $sfx" == "$tpfx $tsfx" ]] && {
let "sum += val"
continue
}
echo "$tpfx entries=$sum $tsfx"
}
tpfx="$pfx"
tsfx="$sfx"
sum=$val
done
echo "$tpfx entries=$sum $tsfx"
}
do_test() { # (cmd, log) do_test() { # (cmd, log)
echo -n "testing for cmd: $1 ... " echo -n "testing for cmd: $1 ... "
cat <&3 >/dev/null cat <&3 >/dev/null
$1 >/dev/null || exit 1 $1 >/dev/null || exit 1
sleep 0.1 sleep 0.1
res=$(diff -a -u <(echo "$2") - <&3) res=$(diff -a -u <(echo "$2") <(summarize_logs <&3))
[ $? -eq 0 ] && { echo "OK"; return; } [ $? -eq 0 ] && { echo "OK"; return; }
echo "FAIL" echo "FAIL"
grep -v '^\(---\|+++\|@@\)' <<< "$res" grep -v '^\(---\|+++\|@@\)' <<< "$res"
...@@ -152,31 +171,17 @@ do_test 'nft reset rules t1 c2' \ ...@@ -152,31 +171,17 @@ do_test 'nft reset rules t1 c2' \
'table=t1 family=2 entries=3 op=nft_reset_rule' 'table=t1 family=2 entries=3 op=nft_reset_rule'
do_test 'nft reset rules table t1' \ do_test 'nft reset rules table t1' \
'table=t1 family=2 entries=3 op=nft_reset_rule 'table=t1 family=2 entries=9 op=nft_reset_rule'
table=t1 family=2 entries=3 op=nft_reset_rule
table=t1 family=2 entries=3 op=nft_reset_rule'
do_test 'nft reset rules t2 c3' \ do_test 'nft reset rules t2 c3' \
'table=t2 family=2 entries=189 op=nft_reset_rule 'table=t2 family=2 entries=503 op=nft_reset_rule'
table=t2 family=2 entries=188 op=nft_reset_rule
table=t2 family=2 entries=126 op=nft_reset_rule'
do_test 'nft reset rules t2' \ do_test 'nft reset rules t2' \
'table=t2 family=2 entries=3 op=nft_reset_rule 'table=t2 family=2 entries=509 op=nft_reset_rule'
table=t2 family=2 entries=3 op=nft_reset_rule
table=t2 family=2 entries=186 op=nft_reset_rule
table=t2 family=2 entries=188 op=nft_reset_rule
table=t2 family=2 entries=129 op=nft_reset_rule'
do_test 'nft reset rules' \ do_test 'nft reset rules' \
'table=t1 family=2 entries=3 op=nft_reset_rule 'table=t1 family=2 entries=9 op=nft_reset_rule
table=t1 family=2 entries=3 op=nft_reset_rule table=t2 family=2 entries=509 op=nft_reset_rule'
table=t1 family=2 entries=3 op=nft_reset_rule
table=t2 family=2 entries=3 op=nft_reset_rule
table=t2 family=2 entries=3 op=nft_reset_rule
table=t2 family=2 entries=180 op=nft_reset_rule
table=t2 family=2 entries=188 op=nft_reset_rule
table=t2 family=2 entries=135 op=nft_reset_rule'
# resetting sets and elements # resetting sets and elements
...@@ -200,13 +205,11 @@ do_test 'nft reset counters t1' \ ...@@ -200,13 +205,11 @@ do_test 'nft reset counters t1' \
'table=t1 family=2 entries=1 op=nft_reset_obj' 'table=t1 family=2 entries=1 op=nft_reset_obj'
do_test 'nft reset counters t2' \ do_test 'nft reset counters t2' \
'table=t2 family=2 entries=342 op=nft_reset_obj 'table=t2 family=2 entries=500 op=nft_reset_obj'
table=t2 family=2 entries=158 op=nft_reset_obj'
do_test 'nft reset counters' \ do_test 'nft reset counters' \
'table=t1 family=2 entries=1 op=nft_reset_obj 'table=t1 family=2 entries=1 op=nft_reset_obj
table=t2 family=2 entries=341 op=nft_reset_obj table=t2 family=2 entries=500 op=nft_reset_obj'
table=t2 family=2 entries=159 op=nft_reset_obj'
# resetting quotas # resetting quotas
...@@ -217,13 +220,11 @@ do_test 'nft reset quotas t1' \ ...@@ -217,13 +220,11 @@ do_test 'nft reset quotas t1' \
'table=t1 family=2 entries=1 op=nft_reset_obj' 'table=t1 family=2 entries=1 op=nft_reset_obj'
do_test 'nft reset quotas t2' \ do_test 'nft reset quotas t2' \
'table=t2 family=2 entries=315 op=nft_reset_obj 'table=t2 family=2 entries=500 op=nft_reset_obj'
table=t2 family=2 entries=185 op=nft_reset_obj'
do_test 'nft reset quotas' \ do_test 'nft reset quotas' \
'table=t1 family=2 entries=1 op=nft_reset_obj 'table=t1 family=2 entries=1 op=nft_reset_obj
table=t2 family=2 entries=314 op=nft_reset_obj table=t2 family=2 entries=500 op=nft_reset_obj'
table=t2 family=2 entries=186 op=nft_reset_obj'
# deleting rules # deleting rules
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment