From: Felix Huettner <felix.huettner@mail.schwarz>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Ilya Maximets <i.maximets@ovn.org>,
linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org, netdev@vger.kernel.org,
linux-kselftest@vger.kernel.org, kadlec@netfilter.org,
fw@strlen.de, davem@davemloft.net, edumazet@google.com,
pabeni@redhat.com, shuah@kernel.org, luca.czesla@mail.schwarz,
max.lamprecht@mail.schwarz, Simon Horman <horms@ovn.org>
Subject: Re: [PATCH net-next v2] net: ctnetlink: support filtering by zone
Date: Fri, 2 Feb 2024 12:22:55 +0000 [thread overview]
Message-ID: <Zbzen36ahZaiR+qp@felix.runs.onstackit.cloud> (raw)
In-Reply-To: <ZbzOA1D1IGYX2oxS@calendula>
On Fri, Feb 02, 2024 at 12:12:03PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Feb 02, 2024 at 12:04:35PM +0100, Ilya Maximets wrote:
> > On 12/22/23 13:01, Pablo Neira Ayuso wrote:
> > > On Mon, Nov 27, 2023 at 11:49:16AM +0000, Felix Huettner wrote:
> > >> conntrack zones are heavily used by tools like openvswitch to run
> > >> multiple virtual "routers" on a single machine. In this context each
> > >> conntrack zone matches to a single router, thereby preventing
> > >> overlapping IPs from becoming issues.
> > >> In these systems it is common to operate on all conntrack entries of a
> > >> given zone, e.g. to delete them when a router is deleted. Previously this
> > >> required these tools to dump the full conntrack table and filter out the
> > >> relevant entries in userspace potentially causing performance issues.
> > >>
> > >> To do this we reuse the existing CTA_ZONE attribute. This was previous
> > >> parsed but not used during dump and flush requests. Now if CTA_ZONE is
> > >> set we filter these operations based on the provided zone.
> > >> However this means that users that previously passed CTA_ZONE will
> > >> experience a difference in functionality.
> > >>
> > >> Alternatively CTA_FILTER could have been used for the same
> > >> functionality. However it is not yet supported during flush requests and
> > >> is only available when using AF_INET or AF_INET6.
> > >
> > > For the record, this is applied to nf-next.
> >
> > Hi, Felix and Pablo.
> >
> > I was looking through the code and the following part is bothering me:
> >
> > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> > index fb0ae15e96df..4e9133f61251 100644
> > --- a/net/netfilter/nf_conntrack_netlink.c
> > +++ b/net/netfilter/nf_conntrack_netlink.c
> > @@ -1148,6 +1149,10 @@ static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
> > if (filter->family && nf_ct_l3num(ct) != filter->family)
> > goto ignore_entry;
> >
> > + if (filter->zone.id != NF_CT_DEFAULT_ZONE_ID &&
> > + !nf_ct_zone_equal_any(ct, &filter->zone))
> > + goto ignore_entry;
> > +
> > if (filter->orig_flags) {
> > tuple = nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL);
> > if (!ctnetlink_filter_match_tuple(&filter->orig, tuple,
> >
> > If I'm reading that right, the default zone is always flushed, even if the
> > user requested to flush a different zone. I.e. the entry is never ignored
> > for a default zone. Is that correct or am I reading that wrong?
> >
> > If my observation is correct, then I don't think this functionality can
> > actually be used by applications as it does something unexpected.
>
> This needs a fix, the NF_CT_DEFAULT_ZONE_ID is used as a marker to
> indicate if the filtering by zone needs to happen or not.
>
> I'd suggest to add a boolean flag that specifies that zone filtering
> is set on.
Hi Pablo and Ilya,
thanks for finding that.
i will build a fix for that.
next prev parent reply other threads:[~2024-02-02 12:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-27 11:49 [PATCH net-next v2] net: ctnetlink: support filtering by zone Felix Huettner
2023-11-27 12:38 ` Pablo Neira Ayuso
2023-12-01 11:30 ` Felix Huettner
2023-12-05 9:39 ` Felix Huettner
2023-12-22 12:01 ` Pablo Neira Ayuso
2024-02-02 11:04 ` Ilya Maximets
2024-02-02 11:12 ` Pablo Neira Ayuso
2024-02-02 12:22 ` Felix Huettner [this message]
2024-02-05 10:04 ` Felix Huettner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zbzen36ahZaiR+qp@felix.runs.onstackit.cloud \
--to=felix.huettner@mail.schwarz \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@ovn.org \
--cc=i.maximets@ovn.org \
--cc=kadlec@netfilter.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=luca.czesla@mail.schwarz \
--cc=max.lamprecht@mail.schwarz \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.