From: Florian Westphal <fw@strlen.de>
To: Jordan Griege <jgriege@cloudflare.com>
Cc: netfilter@vger.kernel.org
Subject: Re: nf_queue flush on deletion
Date: Mon, 11 Jul 2022 21:52:33 +0200 [thread overview]
Message-ID: <20220711195233.GA11099@breakpoint.cc> (raw)
In-Reply-To: <CA+=Uk6bgPJtcF3XDtraF0vHL8EmY+hqAwXhmzqka5HwDL_jnBg@mail.gmail.com>
Jordan Griege <jgriege@cloudflare.com> wrote:
> I am looking for a way to run a userspace firewall and came across
> nf_queue. The library documentation and examples were easy enough to
> follow, but I found some unexpected behavior when setting up a
> proof-of-concept. Say I have the following nftables configuration
> loaded:
>
> table ip test-queue {
> chain prerouting {
> type filter hook prerouting priority filter; policy accept;
> queue num 0 bypass
> }
> }
> table ip unrelated {
> chain input {
> type filter hook input priority mangle; policy accept;
> }
> }
>
> and a program running that reads packets from queue 0. If at any
> point I run a command that deletes a base chain, e.g.
>
> nft delete table ip unrelated
>
> Then all the packets in queue 0 are dropped. When the program sends a
> verdict for any packets it had received before the queue was flushed,
> the nf_queue system responds with an ENOENT message (wrapped in a
> header with NLMSG_ERROR) through the netlink socket.
>
> This appears to be the intended behavior by what I could make of the
> kernel code. Is that correct, and if so, what is the motivation?
Sorry for late reply. While packet is out, the list of active hooks
leaves RCU protection, so, when reinject happens we need to re-fetch the
list. The alternative to just dropping is to possibly queue the packet
again (when hooks were inserted before reinjection position), or skip
existing hooks (in case ofhook deletion).
> Would it be possible to develop a patch that determines queue 0 should
> be unaffected by that chain deletion and preserves the queue contents?
> Has such a change been attempted before? Or is there some other
> workaround for this behavior?
This was the old behaviour, but this made it necessary to do acquire a
reference count on the base hooks to prevent their removal while packets
the packet is queued.
If the only problem is the ENOENT, then i'd suggest to remove the
hook drop and store (u32)nf_hook_entries_head(net, pf, state->hook)
at nf_queue() time, then re-check that at nf_reinject() time.
Another option would be to store a 'u32 genid' struct netns_nf, store
that at nf_queue time, revalidate at nf_reinject and increment it instead
of dropping queued packets at hook deletion time.
prev parent reply other threads:[~2022-07-11 19:52 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-13 20:36 nf_queue flush on deletion Jordan Griege
2022-07-11 19:52 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220711195233.GA11099@breakpoint.cc \
--to=fw@strlen.de \
--cc=jgriege@cloudflare.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.