[PATCH net,v2 0/7] Netfilter fixes for net

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net,v2 0/7] Netfilter fixes for net
@ 2025-07-17  9:58 Pablo Neira Ayuso
  2025-07-17 12:38 ` Paolo Abeni
  0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2025-07-17  9:58 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw, horms

v2: Include conntrack fix in cover letter.

-o-

Hi,

The following batch contains Netfilter fixes for net:

1) Three patches to enhance conntrack selftests for resize and clash
   resolution, from Florian Westphal.

2) Expand nft_concat_range.sh selftest to improve coverage from error
   path, from Florian Westphal.

3) Hide clash bit to userspace from netlink dumps until there is a
   good reason to expose, from Florian Westphal.

4) Revert notification for device registration/unregistration for
   nftables basechains and flowtables, we decided to go for a better
   way to handle this through the nfnetlink_hook infrastructure which
   will come via nf-next, patch from Phil Sutter.

5) Fix crash in conntrack due to race related to SLAB_TYPESAFE_BY_RCU
   that results in removing a recycled object that is not yet in the
   hashes. Move IPS_CONFIRM setting after the object is in the hashes.
   From Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-07-17

Thanks.

----------------------------------------------------------------

The following changes since commit 7727ec1523d7973defa1dff8f9c0aad288d04008:

  net: emaclite: Fix missing pointer increment in aligned_read() (2025-07-11 16:37:06 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-07-17

for you to fetch changes up to 2d72afb340657f03f7261e9243b44457a9228ac7:

  netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (2025-07-17 11:23:33 +0200)

----------------------------------------------------------------
netfilter pull request 25-07-17

----------------------------------------------------------------
Florian Westphal (6):
      selftests: netfilter: conntrack_resize.sh: extend resize test
      selftests: netfilter: add conntrack clash resolution test case
      selftests: netfilter: conntrack_resize.sh: also use udpclash tool
      selftests: netfilter: nft_concat_range.sh: send packets to empty set
      netfilter: nf_tables: hide clash bit from userspace
      netfilter: nf_conntrack: fix crash due to removal of uninitialised entry

Phil Sutter (1):
      Revert "netfilter: nf_tables: Add notifications for hook changes"

 include/net/netfilter/nf_conntrack.h               |  15 +-
 include/net/netfilter/nf_tables.h                  |   5 -
 include/uapi/linux/netfilter/nf_tables.h           |  10 --
 include/uapi/linux/netfilter/nfnetlink.h           |   2 -
 net/netfilter/nf_conntrack_core.c                  |  26 ++-
 net/netfilter/nf_tables_api.c                      |  59 -------
 net/netfilter/nf_tables_trace.c                    |   3 +
 net/netfilter/nfnetlink.c                          |   1 -
 net/netfilter/nft_chain_filter.c                   |   2 -
 tools/testing/selftests/net/netfilter/.gitignore   |   1 +
 tools/testing/selftests/net/netfilter/Makefile     |   3 +
 .../selftests/net/netfilter/conntrack_clash.sh     | 175 +++++++++++++++++++++
 .../selftests/net/netfilter/conntrack_resize.sh    |  97 +++++++++++-
 .../selftests/net/netfilter/nft_concat_range.sh    |   3 +
 tools/testing/selftests/net/netfilter/udpclash.c   | 158 +++++++++++++++++++
 15 files changed, 468 insertions(+), 92 deletions(-)
 create mode 100755 tools/testing/selftests/net/netfilter/conntrack_clash.sh
 create mode 100644 tools/testing/selftests/net/netfilter/udpclash.c

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH net,v2 0/7] Netfilter fixes for net
  2025-07-17  9:58 [PATCH net,v2 0/7] Netfilter fixes for net Pablo Neira Ayuso
@ 2025-07-17 12:38 ` Paolo Abeni
  2025-07-17 13:01   ` Florian Westphal
  0 siblings, 1 reply; 5+ messages in thread
From: Paolo Abeni @ 2025-07-17 12:38 UTC (permalink / raw)
  To: Pablo Neira Ayuso, netfilter-devel
  Cc: davem, netdev, kuba, edumazet, fw, horms

On 7/17/25 11:58 AM, Pablo Neira Ayuso wrote:
> v2: Include conntrack fix in cover letter.
> 
> -o-
> 
> Hi,
> 
> The following batch contains Netfilter fixes for net:
> 
> 1) Three patches to enhance conntrack selftests for resize and clash
>    resolution, from Florian Westphal.

The first run of the newly introduced conntrack_clash.sh test failed on
nipa:

# timeout set to 1800
# selftests: net/netfilter: conntrack_clash.sh
# got 128 of 128 replies
# timed out while waiting for reply from thread
# got 127 of 128 replies
# FAIL: did not receive expected number of replies for 10.0.1.99:22111
# FAIL: clash resolution test for 10.0.1.99:22111 on attempt 2
# got 128 of 128 replies
# timed out while waiting for reply from thread
# got 0 of 128 replies
# FAIL: did not receive expected number of replies for 127.0.0.1:9001
# FAIL: clash resolution test for 127.0.0.1:9001 on attempt 2
# SKIP: Clash resolution did not trigger
not ok 1 selftests: net/netfilter: conntrack_clash.sh # exit=1

I think the above should not block the PR, but please have a look.

Thanks,

Paolo


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH net,v2 0/7] Netfilter fixes for net
  2025-07-17 12:38 ` Paolo Abeni
@ 2025-07-17 13:01   ` Florian Westphal
  2025-07-17 13:23     ` Jakub Kicinski
  0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2025-07-17 13:01 UTC (permalink / raw)
  To: Paolo Abeni
  Cc: Pablo Neira Ayuso, netfilter-devel, davem, netdev, kuba, edumazet,
	horms

Paolo Abeni <pabeni@redhat.com> wrote:
> The first run of the newly introduced conntrack_clash.sh test failed on
> nipa:
> 
> # timeout set to 1800
> # selftests: net/netfilter: conntrack_clash.sh
> # got 128 of 128 replies
> # timed out while waiting for reply from thread
> # got 127 of 128 replies
> # FAIL: did not receive expected number of replies for 10.0.1.99:22111
> # FAIL: clash resolution test for 10.0.1.99:22111 on attempt 2
> # got 128 of 128 replies
> # timed out while waiting for reply from thread
> # got 0 of 128 replies
> # FAIL: did not receive expected number of replies for 127.0.0.1:9001
> # FAIL: clash resolution test for 127.0.0.1:9001 on attempt 2
> # SKIP: Clash resolution did not trigger
> not ok 1 selftests: net/netfilter: conntrack_clash.sh # exit=1
> I think the above should not block the PR, but please have a look.

No idea whats happening, I get 100/100 ok :-/

I'll send a revert or $ksft_skip for now if I can't figure it out.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH net,v2 0/7] Netfilter fixes for net
  2025-07-17 13:01   ` Florian Westphal
@ 2025-07-17 13:23     ` Jakub Kicinski
  2025-07-17 13:31       ` Jakub Kicinski
  0 siblings, 1 reply; 5+ messages in thread
From: Jakub Kicinski @ 2025-07-17 13:23 UTC (permalink / raw)
  To: Florian Westphal
  Cc: Paolo Abeni, Pablo Neira Ayuso, netfilter-devel, davem, netdev,
	edumazet, horms

On Thu, 17 Jul 2025 15:01:53 +0200 Florian Westphal wrote:
> Paolo Abeni <pabeni@redhat.com> wrote:
> > The first run of the newly introduced conntrack_clash.sh test failed on
> > nipa:
> > 
> > # timeout set to 1800
> > # selftests: net/netfilter: conntrack_clash.sh
> > # got 128 of 128 replies
> > # timed out while waiting for reply from thread
> > # got 127 of 128 replies
> > # FAIL: did not receive expected number of replies for 10.0.1.99:22111
> > # FAIL: clash resolution test for 10.0.1.99:22111 on attempt 2
> > # got 128 of 128 replies
> > # timed out while waiting for reply from thread
> > # got 0 of 128 replies
> > # FAIL: did not receive expected number of replies for 127.0.0.1:9001
> > # FAIL: clash resolution test for 127.0.0.1:9001 on attempt 2
> > # SKIP: Clash resolution did not trigger
> > not ok 1 selftests: net/netfilter: conntrack_clash.sh # exit=1
> > I think the above should not block the PR, but please have a look.  
> 
> No idea whats happening, I get 100/100 ok :-/
> 
> I'll send a revert or $ksft_skip for now if I can't figure it out.

Oh, I see this disembodied thread now, sorry.

No need to send the skip, we can ignore the case when ingesting results.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH net,v2 0/7] Netfilter fixes for net
  2025-07-17 13:23     ` Jakub Kicinski
@ 2025-07-17 13:31       ` Jakub Kicinski
  0 siblings, 0 replies; 5+ messages in thread
From: Jakub Kicinski @ 2025-07-17 13:31 UTC (permalink / raw)
  To: Florian Westphal
  Cc: Paolo Abeni, Pablo Neira Ayuso, netfilter-devel, davem, netdev,
	edumazet, horms

On Thu, 17 Jul 2025 06:23:38 -0700 Jakub Kicinski wrote:
> On Thu, 17 Jul 2025 15:01:53 +0200 Florian Westphal wrote:
> > Paolo Abeni <pabeni@redhat.com> wrote:  
> > > # timeout set to 1800
> > > # selftests: net/netfilter: conntrack_clash.sh
> > > # got 128 of 128 replies
> > > # timed out while waiting for reply from thread
> > > # got 127 of 128 replies
> > > # FAIL: did not receive expected number of replies for 10.0.1.99:22111
> > > # FAIL: clash resolution test for 10.0.1.99:22111 on attempt 2
> > > # got 128 of 128 replies
> > > # timed out while waiting for reply from thread
> > > # got 0 of 128 replies
> > > # FAIL: did not receive expected number of replies for 127.0.0.1:9001
> > > # FAIL: clash resolution test for 127.0.0.1:9001 on attempt 2
> > > # SKIP: Clash resolution did not trigger
> > > not ok 1 selftests: net/netfilter: conntrack_clash.sh # exit=1
> > > I think the above should not block the PR, but please have a look.    
> > 
> > No idea whats happening, I get 100/100 ok :-/
> > 
> > I'll send a revert or $ksft_skip for now if I can't figure it out.  
> 
> Oh, I see this disembodied thread now, sorry.
> 
> No need to send the skip, we can ignore the case when ingesting results.

FWIW

# nft --version
nftables v1.1.3 (Commodore Bullmoose #4)

nftables# git log -1 --format=reference 
610089f2 (cache: Tolerate object deserialization failures, 2025-05-16)

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-07-17 13:31 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-17  9:58 [PATCH net,v2 0/7] Netfilter fixes for net Pablo Neira Ayuso
2025-07-17 12:38 ` Paolo Abeni
2025-07-17 13:01   ` Florian Westphal
2025-07-17 13:23     ` Jakub Kicinski
2025-07-17 13:31       ` Jakub Kicinski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).