From: Stefano Brivio <sbrivio@redhat.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Phil Sutter <phil@nwl.cc>,
netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>
Subject: Re: [PATCH nf 0/2] nft_set_pipapo: Fix crash due to dangling entries in mapping table
Date: Wed, 26 Feb 2020 12:02:53 +0100 [thread overview]
Message-ID: <20200226120253.71e9f0e0@redhat.com> (raw)
In-Reply-To: <20200226105804.xramr6duqkvrtop3@salvia>
On Wed, 26 Feb 2020 11:58:04 +0100
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Tue, Feb 25, 2020 at 09:58:47PM +0100, Pablo Neira Ayuso wrote:
> > On Tue, Feb 25, 2020 at 09:38:15PM +0100, Stefano Brivio wrote:
> > > On Tue, 25 Feb 2020 21:21:43 +0100
> > > Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > >
> > > > Hi Stefano,
> > > >
> > > > On Tue, Feb 25, 2020 at 03:34:35PM +0100, Stefano Brivio wrote:
> > > > [...]
> > > > > This is the problem Phil reported:
> > > > [...]
> > > > > Or also simply with:
> > > > >
> > > > > # nft add element t s '{ 20-30 . 40 }'
> > > > > # nft add element t s '{ 25-35 . 40 }'
> > > > >
> > > > > the second element is silently ignored. I'm returning -EEXIST from
> > > > > nft_pipapo_insert(), but nft_add_set_elem() clears it because NLM_F_EXCL
> > > > > is not set.
> > > > >
> > > > > Are you suggesting that this is consistent and therefore not a problem?
> > > >
> > > > NLM_F_EXCL !NLM_F_EXCL
> > > > exact match EEXIST 0 [*]
> > > > partial match EEXIST EEXIST
> > > >
> > > > The [*] case would allow for element timeout/expiration updates from
> > > > the control plane for exact matches.
> > >
> > > A-ha. I didn't even consider that.
> > >
> > > > Note that element updates are not
> > > > supported yet, so this check for !NLM_F_EXCL is a stub. I don't think
> > > > we should allow for updates on partial matches
> > > >
> > > > I think what it is missing is a error to report "partial match" from
> > > > pipapo. Then, the core translates this "partial match" error to EEXIST
> > > > whether NLM_F_EXCL is set or not.
> > >
> > > Yes, given what you explained, I also think it's the case.
> > >
> > > > Would this work for you?
> > >
> > > It would. I need to write a few more lines in nft_pipapo_insert(),
> > > because right now I don't have a special case for "entirely
> > > overlapping". Something on the lines of:
> > >
> > > dup = pipapo_get(net, set, start, genmask);
> > > if (PTR_ERR(dup) == -ENOENT) {
> > >
> > > --> compare start and end key for this entry with
> > > start and end key from 'ext'
> > >
> > > Let me know if you want me to post a patch with a placeholder for
> > > whatever you have in mind, or if I can help implementing this, etc.
> >
> > Please, go ahead with the placeholder, it might be faster. I'll jump
> > on it.
>
> Sorry, I just realized I can be probably quicker on the core side.
> Here is my proposal.
>
> I'm attaching a patch for the core. This is handling -ENOTEMPTY which
> is (ab)used to report the partial element matching.
>
> if NLM_F_EXCL is set off, then -EEXIST becomes 0.
> then -ENOTEMPTY becomes -EEXIST.
>
> Would this work for you?
Oops, I sent you my patch 80 seconds later it seems. Yes, we just need
to s/TTY/TEMPTY/ :)
Let me know how to proceed, if you want me to post that or you want to
post that (as a series?).
--
Stefano
next prev parent reply other threads:[~2020-02-26 11:03 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-21 2:04 [PATCH nf 0/2] nft_set_pipapo: Fix crash due to dangling entries in mapping table Stefano Brivio
2020-02-21 2:04 ` [PATCH nf 1/2] nft_set_pipapo: Actually fetch key data in nft_pipapo_remove() Stefano Brivio
2020-02-21 2:04 ` [PATCH nf 2/2] selftests: nft_concat_range: Add test for reported add/flush/add issue Stefano Brivio
2020-02-21 21:17 ` [PATCH nf 0/2] nft_set_pipapo: Fix crash due to dangling entries in mapping table Phil Sutter
2020-02-21 22:22 ` Stefano Brivio
2020-02-22 1:19 ` Phil Sutter
2020-02-23 21:22 ` Stefano Brivio
2020-02-25 12:39 ` Pablo Neira Ayuso
2020-02-25 12:45 ` Stefano Brivio
2020-02-25 13:13 ` Stefano Brivio
2020-02-25 13:42 ` Pablo Neira Ayuso
2020-02-25 14:34 ` Stefano Brivio
2020-02-25 18:48 ` Phil Sutter
2020-02-25 19:33 ` Stefano Brivio
2020-02-25 20:21 ` Pablo Neira Ayuso
2020-02-25 20:38 ` Stefano Brivio
2020-02-25 20:58 ` Pablo Neira Ayuso
2020-02-26 10:58 ` Pablo Neira Ayuso
2020-02-26 11:01 ` Pablo Neira Ayuso
2020-02-26 11:02 ` Stefano Brivio [this message]
2020-02-26 11:29 ` Pablo Neira Ayuso
2020-02-26 11:36 ` Stefano Brivio
2020-02-26 11:53 ` Pablo Neira Ayuso
2020-02-26 10:59 ` Stefano Brivio
2020-02-26 11:10 ` Pablo Neira Ayuso
2020-02-26 11:19 ` Stefano Brivio
2020-02-26 11:34 ` Pablo Neira Ayuso
2020-02-26 11:39 ` Stefano Brivio
2020-02-26 11:54 ` Stefano Brivio
2020-02-26 12:10 ` Pablo Neira Ayuso
2020-02-26 13:33 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200226120253.71e9f0e0@redhat.com \
--to=sbrivio@redhat.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.