From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, Eric Garver <e@erig.me>
Subject: Re: [nf-next PATCH v6 0/7] Dynamic hook interface binding part 1
Date: Fri, 22 Nov 2024 19:18:05 +0100 [thread overview]
Message-ID: <Z0DK3WKKfg3YEUPR@orbyte.nwl.cc> (raw)
In-Reply-To: <Z0CJkzhOls1Dr4N2@calendula>
On Fri, Nov 22, 2024 at 02:39:31PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Nov 21, 2024 at 06:04:55PM +0100, Phil Sutter wrote:
> > Hi,
> >
> > On Tue, Nov 19, 2024 at 05:09:17PM +0100, Phil Sutter wrote:
> > [...]
> > > Checking callers of nft_unregister_flowtable_net_hooks():
> > >
> > > nf_tables_commit() calls it for DELFLOWTABLE, code-paths differ for
> > > flowtable updates or complete deletions: With the latter,
> > > nft_commit_release() calls nf_tables_flowtable_destroy() which does the
> > > UNBIND. So if deleting individual interfaces from an offloaded flowtable
> > > is supported, we may miss the UNBIND there.
> > >
> > > __nf_tables_abort() calls it for NEWFLOWTABLE. The hooks should have
> > > been bound by nf_tables_newflowtable() (or nft_flowtable_update(),
> > > respectively) so this seems like missing UNBIND there.
> > >
> > > Now about __nft_release_hook, I see:
> > >
> > > nf_tables_pre_exit_net
> > > -> __nft_release_hooks
> > > -> __nft_release_hook
> > >
> > > Do we have to UNBIND at netns exit?
> > >
> > > There is also:
> > >
> > > nft_rcv_nl_event
> > > -> __nft_release_hook
> > >
> > > I don't see where hooks of flowtables in owner flag tables are unbound.
> >
> > So I validated these findings by adding printks to BIND and UNBIND calls
> > and performing these actions:
> >
> > - Delete an interface from a flowtable with multiple interfaces
> >
> > - Add a (device to a) flowtable with --check flag
> >
> > - Delete a netns containing a flowtable
> >
> > - In an interactive nft session, create a table with owner flag and
> > flowtable inside, then quit
> >
> > All these cases cause imbalance between BIND and UNBIND calls. Looking
> > at possible fixes, I wonder how things are supposed to be: When deleting
> > a flowtable, nf_tables_commit will unregister hooks (via
> > nf_unregister_net_hook), but not unlink/free them. Then, in
> > nft_commit_release, the UNBIND happens along with unlink/free. Is this
> > the correct process? Namely unregister and wait for RCU grace period
> > before performing UNBIND? Or is this arbitrary and combining unregister
> > with UBIND is OK in all cases?
>
> Thanks for the detailed report.
>
> Basically, add/delete interface to an existing flowtable is not
> supported by hardware offload at this stage, one option is to reject
> this by now.
Oh, that's interesting news! Is it sufficient to reject flowtable
updates if nf_flowtable::flags has NF_FLOWTABLE_HW_OFFLOAD bit set?
> Then, netns integration was never considered, because it was not clear
> to me how hardware offload mix with containers at this stage. This
> needs to be fixed. Same applies interactive nft session (owner flag).
Those two should be unproblematic though, both netns exit and owner exit
cause full flowtable deletion - basically same mechanism as for regular
'nft delete flowtable' should suffice.
> This is my mess, let me post a fix so we can soonish clean the way for
> you to follow up on your effort to allow for dynamic interface
> bindings in the next merge window once this fix gets to net.git.
Sure, thanks!
Cheers, Phil
prev parent reply other threads:[~2024-11-22 18:18 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-23 14:57 [nf-next PATCH v6 0/7] Dynamic hook interface binding part 1 Phil Sutter
2024-10-23 14:57 ` [nf-next PATCH v6 1/7] netfilter: nf_tables: Flowtable hook's pf value never varies Phil Sutter
2024-10-23 14:57 ` [nf-next PATCH v6 2/7] netfilter: nf_tables: Store user-defined hook ifname Phil Sutter
2024-10-23 14:57 ` [nf-next PATCH v6 3/7] netfilter: nf_tables: Use stored ifname in netdev hook dumps Phil Sutter
2024-10-23 14:57 ` [nf-next PATCH v6 4/7] netfilter: nf_tables: Compare netdev hooks based on stored name Phil Sutter
2024-10-23 14:57 ` [nf-next PATCH v6 5/7] netfilter: nf_tables: Tolerate chains with no remaining hooks Phil Sutter
2024-10-23 14:57 ` [nf-next PATCH v6 6/7] netfilter: nf_tables: Simplify chain netdev notifier Phil Sutter
2024-10-23 14:57 ` [nf-next PATCH v6 7/7] netfilter: nf_tables: Drop __nft_unregister_flowtable_net_hooks() Phil Sutter
2024-11-15 11:57 ` [nf-next PATCH v6 0/7] Dynamic hook interface binding part 1 Pablo Neira Ayuso
2024-11-19 16:09 ` Phil Sutter
2024-11-21 17:04 ` Phil Sutter
2024-11-22 13:39 ` Pablo Neira Ayuso
2024-11-22 18:18 ` Phil Sutter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z0DK3WKKfg3YEUPR@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=e@erig.me \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.