From: Jakub Kicinski <kuba@kernel.org>
To: Pablo Neira Ayuso <pablo@netfilter.org>, fw@strlen.de
Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org, pabeni@redhat.com, edumazet@google.com,
horms@kernel.org
Subject: Re: [PATCH net-next,v2 0/7] Netfilter updates for net-next
Date: Fri, 25 Apr 2025 09:18:54 -0700 [thread overview]
Message-ID: <20250425091854.4b5964fd@kernel.org> (raw)
In-Reply-To: <20250424211455.242482-1-pablo@netfilter.org>
On Thu, 24 Apr 2025 23:14:48 +0200 Pablo Neira Ayuso wrote:
> v2: including fixes from Florian to address selftest issues
> and a fix for set element count and type.
Thanks, appreciated! All our networking tests now pass, but there
seems to still be some breakage on the BPF side, so
tools/testing/selftests/bpf/config needs touching up.
I suppose while addressing the RT problem you're trying to move
straggles off from the legacy stuff to nft? Which I'm entirely
sympathetic to. But I'm worried that not everybody will be, and
there's plenty of defconfigs which include iptables:
$ git grep CONFIG_IP_NF_IPTABLES= | wc -l
54
At the end of the day it's up to you, but maybe sleep on it? :)
And the BPF side needs fixing for sure, they will notice..
Error: #25 bpf_nf
Error: #25/1 bpf_nf/xdp-ct
Error: #25/1 bpf_nf/xdp-ct
test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec
test_bpf_nf_ct:FAIL:iptables-legacy -t raw -A PREROUTING -j CONNMARK --set-mark 42/0 unexpected error: 768 (errno 0)
Error: #25/2 bpf_nf/tc-bpf-ct
Error: #25/2 bpf_nf/tc-bpf-ct
test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec
test_bpf_nf_ct:FAIL:iptables-legacy -t raw -A PREROUTING -j CONNMARK --set-mark 42/0 unexpected error: 768 (errno 0)
Error: #621 xdp_synproxy
Error: #621/1 xdp_synproxy/xdp
Error: #621/1 xdp_synproxy/xdp
test_synproxy:PASS:ip netns add synproxy 0 nsec
test_synproxy:PASS:ip link add tmp0 type veth peer name tmp1 0 nsec
test_synproxy:PASS:ip link set tmp1 netns synproxy 0 nsec
test_synproxy:PASS:ip link set tmp0 up 0 nsec
test_synproxy:PASS:ip addr replace 198.18.0.1/24 dev tmp0 0 nsec
test_synproxy:PASS:ethtool -K tmp0 tx off 0 nsec
test_synproxy:PASS:ip link set tmp0 xdp object xdp_dummy.bpf.o section xdp 2> /dev/null 0 nsec
test_synproxy:PASS:setns 0 nsec
test_synproxy:PASS:ip link set lo up 0 nsec
test_synproxy:PASS:ip link set tmp1 up 0 nsec
test_synproxy:PASS:ip addr replace 198.18.0.2/24 dev tmp1 0 nsec
test_synproxy:PASS:sysctl -w net.ipv4.tcp_syncookies=2 0 nsec
test_synproxy:PASS:sysctl -w net.ipv4.tcp_timestamps=1 0 nsec
test_synproxy:PASS:sysctl -w net.netfilter.nf_conntrack_tcp_loose=0 0 nsec
test_synproxy:FAIL:iptables-legacy -t raw -I PREROUTING -i tmp1 -p tcp -m tcp --syn --dport 8080 -j CT --notrack unexpected error: 768 (errno 95)
Error: #621/2 xdp_synproxy/tc
Error: #621/2 xdp_synproxy/tc
test_synproxy:PASS:ip netns add synproxy 0 nsec
test_synproxy:PASS:ip link add tmp0 type veth peer name tmp1 0 nsec
test_synproxy:PASS:ip link set tmp1 netns synproxy 0 nsec
test_synproxy:PASS:ip link set tmp0 up 0 nsec
test_synproxy:PASS:ip addr replace 198.18.0.1/24 dev tmp0 0 nsec
test_synproxy:PASS:ethtool -K tmp0 tx off 0 nsec
test_synproxy:PASS:setns 0 nsec
test_synproxy:PASS:ip link set lo up 0 nsec
test_synproxy:PASS:ip link set tmp1 up 0 nsec
test_synproxy:PASS:ip addr replace 198.18.0.2/24 dev tmp1 0 nsec
test_synproxy:PASS:sysctl -w net.ipv4.tcp_syncookies=2 0 nsec
test_synproxy:PASS:sysctl -w net.ipv4.tcp_timestamps=1 0 nsec
test_synproxy:PASS:sysctl -w net.netfilter.nf_conntrack_tcp_loose=0 0 nsec
test_synproxy:FAIL:iptables-legacy -t raw -I PREROUTING -i tmp1 -p tcp -m tcp --syn --dport 8080 -j CT --notrack unexpected error: 768 (errno 95)
https://github.com/kernel-patches/bpf/actions/runs/14667575264/job/41166480606
next prev parent reply other threads:[~2025-04-25 16:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-24 21:14 [PATCH net-next,v2 0/7] Netfilter updates for net-next Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 1/7] netfilter: xt_IDLETIMER: convert timeouts to secs_to_jiffies() Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 2/7] netfilter: xt_cgroup: Make it independent from net_cls Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 3/7] net: cgroup: Guard users of sock_cgroup_classid() Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 4/7] netfilter: Exclude LEGACY TABLES on PREEMPT_RT Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 5/7] netfilter: conntrack: Remove redundant NFCT_ALIGN call Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 6/7] docs: tproxy: fix formatting for nft code block Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 7/7] netfilter: nf_tables: export set count and backend name to userspace Pablo Neira Ayuso
2025-04-25 16:18 ` Jakub Kicinski [this message]
2025-04-25 17:59 ` [PATCH net-next,v2 0/7] Netfilter updates for net-next Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250425091854.4b5964fd@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).