* [PATCH net 0/3] Netfilter/IPVS fixes for net
@ 2022-12-13 14:09 Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-13 14:09 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains fixes for Netfilter/IPVS:
1) Fix NAT IPv6 flowtable hardware offload, from Qingfang DENG.
2) Add a safety check to IPVS socket option interface report a
warning if unsupported command is seen, this. From Li Qiong.
3) Document SCTP conntrack timeouts, from Sriram Yagnaraman.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit f8bac7f9fdb0017b32157957ffffd490f95faa07:
net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() (2022-12-08 09:38:31 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to f9645abe4255bd79e4c63799634c996dd53db321:
netfilter: conntrack: document sctp timeouts (2022-12-13 12:25:45 +0100)
----------------------------------------------------------------
Li Qiong (1):
ipvs: add a 'default' case in do_ip_vs_set_ctl()
Qingfang DENG (1):
netfilter: flowtable: really fix NAT IPv6 offload
Sriram Yagnaraman (1):
netfilter: conntrack: document sctp timeouts
Documentation/networking/nf_conntrack-sysctl.rst | 33 ++++++++++++++++++++++++
net/netfilter/ipvs/ip_vs_ctl.c | 5 ++++
net/netfilter/nf_flow_table_offload.c | 6 ++---
3 files changed, 41 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload
2022-12-13 14:09 [PATCH net 0/3] Netfilter/IPVS fixes for net Pablo Neira Ayuso
@ 2022-12-13 14:09 ` Pablo Neira Ayuso
2022-12-14 4:00 ` patchwork-bot+netdevbpf
2022-12-13 14:09 ` [PATCH net 2/3] ipvs: add a 'default' case in do_ip_vs_set_ctl() Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 3/3] netfilter: conntrack: document sctp timeouts Pablo Neira Ayuso
2 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-13 14:09 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Qingfang DENG <dqfext@gmail.com>
The for-loop was broken from the start. It translates to:
for (i = 0; i < 4; i += 4)
which means the loop statement is run only once, so only the highest
32-bit of the IPv6 address gets mangled.
Fix the loop increment.
Fixes: 0e07e25b481a ("netfilter: flowtable: fix NAT IPv6 offload mangling")
Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support")
Signed-off-by: Qingfang DENG <dqfext@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_flow_table_offload.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 0fdcdb2c9ae4..4d9b99abe37d 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -383,12 +383,12 @@ static void flow_offload_ipv6_mangle(struct nf_flow_rule *flow_rule,
const __be32 *addr, const __be32 *mask)
{
struct flow_action_entry *entry;
- int i, j;
+ int i;
- for (i = 0, j = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32), j++) {
+ for (i = 0; i < sizeof(struct in6_addr) / sizeof(u32); i++) {
entry = flow_action_entry_next(flow_rule);
flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP6,
- offset + i, &addr[j], mask);
+ offset + i * sizeof(u32), &addr[i], mask);
}
}
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 2/3] ipvs: add a 'default' case in do_ip_vs_set_ctl()
2022-12-13 14:09 [PATCH net 0/3] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload Pablo Neira Ayuso
@ 2022-12-13 14:09 ` Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 3/3] netfilter: conntrack: document sctp timeouts Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-13 14:09 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Li Qiong <liqiong@nfschina.com>
It is better to return the default switch case with
'-EINVAL', in case new commands are added. otherwise,
return a uninitialized value of ret.
Signed-off-by: Li Qiong <liqiong@nfschina.com>
Reviewed-by: Simon Horman <horms@verge.net.au>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipvs/ip_vs_ctl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 988222fff9f0..97f6a1c8933a 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2590,6 +2590,11 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, sockptr_t ptr, unsigned int len)
break;
case IP_VS_SO_SET_DELDEST:
ret = ip_vs_del_dest(svc, &udest);
+ break;
+ default:
+ WARN_ON_ONCE(1);
+ ret = -EINVAL;
+ break;
}
out_unlock:
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 3/3] netfilter: conntrack: document sctp timeouts
2022-12-13 14:09 [PATCH net 0/3] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 2/3] ipvs: add a 'default' case in do_ip_vs_set_ctl() Pablo Neira Ayuso
@ 2022-12-13 14:09 ` Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-13 14:09 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Exposed through sysctl, update documentation to describe sctp states and
their default timeouts.
Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
.../networking/nf_conntrack-sysctl.rst | 33 +++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/Documentation/networking/nf_conntrack-sysctl.rst b/Documentation/networking/nf_conntrack-sysctl.rst
index 1120d71f28d7..49db1d11d7c4 100644
--- a/Documentation/networking/nf_conntrack-sysctl.rst
+++ b/Documentation/networking/nf_conntrack-sysctl.rst
@@ -163,6 +163,39 @@ nf_conntrack_timestamp - BOOLEAN
Enable connection tracking flow timestamping.
+nf_conntrack_sctp_timeout_closed - INTEGER (seconds)
+ default 10
+
+nf_conntrack_sctp_timeout_cookie_wait - INTEGER (seconds)
+ default 3
+
+nf_conntrack_sctp_timeout_cookie_echoed - INTEGER (seconds)
+ default 3
+
+nf_conntrack_sctp_timeout_established - INTEGER (seconds)
+ default 432000 (5 days)
+
+nf_conntrack_sctp_timeout_shutdown_sent - INTEGER (seconds)
+ default 0.3
+
+nf_conntrack_sctp_timeout_shutdown_recd - INTEGER (seconds)
+ default 0.3
+
+nf_conntrack_sctp_timeout_shutdown_ack_sent - INTEGER (seconds)
+ default 3
+
+nf_conntrack_sctp_timeout_heartbeat_sent - INTEGER (seconds)
+ default 30
+
+ This timeout is used to setup conntrack entry on secondary paths.
+ Default is set to hb_interval.
+
+nf_conntrack_sctp_timeout_heartbeat_acked - INTEGER (seconds)
+ default 210
+
+ This timeout is used to setup conntrack entry on secondary paths.
+ Default is set to (hb_interval * path_max_retrans + rto_max)
+
nf_conntrack_udp_timeout - INTEGER (seconds)
default 30
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload
2022-12-13 14:09 ` [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload Pablo Neira Ayuso
@ 2022-12-14 4:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-12-14 4:00 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba, pabeni, edumazet
Hello:
This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:
On Tue, 13 Dec 2022 15:09:21 +0100 you wrote:
> From: Qingfang DENG <dqfext@gmail.com>
>
> The for-loop was broken from the start. It translates to:
>
> for (i = 0; i < 4; i += 4)
>
> which means the loop statement is run only once, so only the highest
> 32-bit of the IPv6 address gets mangled.
>
> [...]
Here is the summary with links:
- [net,1/3] netfilter: flowtable: really fix NAT IPv6 offload
https://git.kernel.org/netdev/net/c/5fb45f95eec6
- [net,2/3] ipvs: add a 'default' case in do_ip_vs_set_ctl()
https://git.kernel.org/netdev/net/c/ba57ee0944ff
- [net,3/3] netfilter: conntrack: document sctp timeouts
https://git.kernel.org/netdev/net/c/f9645abe4255
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-12-14 4:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-13 14:09 [PATCH net 0/3] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload Pablo Neira Ayuso
2022-12-14 4:00 ` patchwork-bot+netdevbpf
2022-12-13 14:09 ` [PATCH net 2/3] ipvs: add a 'default' case in do_ip_vs_set_ctl() Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 3/3] netfilter: conntrack: document sctp timeouts Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.