From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: nft_ct: fix expiration getter
Date: Fri, 8 Jul 2016 15:25:43 +0200 [thread overview]
Message-ID: <20160708132543.GA23868@salvia> (raw)
In-Reply-To: <20160708125646.GA23652@salvia>
[-- Attachment #1: Type: text/plain, Size: 830 bytes --]
On Fri, Jul 08, 2016 at 02:56:46PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Jul 06, 2016 at 02:53:06PM +0200, Florian Westphal wrote:
> > We need to compute timeout.expires - jiffies, not the other way around.
> > Add a helper, another patch can then later change more places in
> > conntrack code where we currently open-code this.
> >
> > Will allow us to only change one place later when we remove per-ct timer.
>
> Applied, thanks.
I just realized that this is broken from userspace, look:
# nft --debug=netlink add rule x y ct expiration 10s
ip x y
[ ct load expiration => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
<cmdline>:1:1-30: Error: Could not process rule: No such file or
directory
add rule x y ct expiration 10s
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
jiffies_to_msecs() returns milliseconds, but userspace uses seconds.
[-- Attachment #2: 0001-datatype-time_type-should-send-milliseconds-to-users.patch --]
[-- Type: text/x-diff, Size: 3443 bytes --]
>From 899bce830f990cb32206c32f86edeb2f69ad109e Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 8 Jul 2016 15:12:31 +0200
Subject: [PATCH nft] datatype: time_type should send milliseconds to userspace
Kernel expects milliseconds, so fix this datatype to use
milliseconds instead of seconds.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/utils.h | 1 +
src/datatype.c | 3 ++-
tests/py/any/ct.t.payload | 18 +++++++++---------
3 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/include/utils.h b/include/utils.h
index 8a1dc5e..d886764 100644
--- a/include/utils.h
+++ b/include/utils.h
@@ -83,6 +83,7 @@
(void) (&_max1 == &_max2); \
_max1 > _max2 ? _max1 : _max2; })
+#define MSEC_PER_SEC 1000L
/**
* fls - find last (most-significant) bit set
diff --git a/src/datatype.c b/src/datatype.c
index 40e14c9..002c4c6 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -883,7 +883,7 @@ struct error_record *time_parse(const struct location *loc, const char *str,
static void time_type_print(const struct expr *expr)
{
- time_print(mpz_get_uint64(expr->value));
+ time_print(mpz_get_uint64(expr->value) / MSEC_PER_SEC);
}
static struct error_record *time_type_parse(const struct expr *sym,
@@ -896,6 +896,7 @@ static struct error_record *time_type_parse(const struct expr *sym,
if (erec != NULL)
return erec;
+ s *= MSEC_PER_SEC;
if (s > UINT32_MAX)
return error(&sym->location, "value too large");
diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload
index 7ed3338..8b1a04f 100644
--- a/tests/py/any/ct.t.payload
+++ b/tests/py/any/ct.t.payload
@@ -198,36 +198,36 @@ ip test-ip4 output
# ct expiration 30
ip test-ip4 output
[ ct load expiration => reg 1 ]
- [ cmp eq reg 1 0x0000001e ]
+ [ cmp eq reg 1 0x00007530 ]
# ct expiration 22
ip test-ip4 output
[ ct load expiration => reg 1 ]
- [ cmp eq reg 1 0x00000016 ]
+ [ cmp eq reg 1 0x000055f0 ]
# ct expiration != 233
ip test-ip4 output
[ ct load expiration => reg 1 ]
- [ cmp neq reg 1 0x000000e9 ]
+ [ cmp neq reg 1 0x00038e28 ]
# ct expiration 33-45
ip test-ip4 output
[ ct load expiration => reg 1 ]
[ byteorder reg 1 = hton(reg 1, 4, 4) ]
- [ cmp gte reg 1 0x21000000 ]
- [ cmp lte reg 1 0x2d000000 ]
+ [ cmp gte reg 1 0xe8800000 ]
+ [ cmp lte reg 1 0xc8af0000 ]
# ct expiration != 33-45
ip test-ip4 output
[ ct load expiration => reg 1 ]
[ byteorder reg 1 = hton(reg 1, 4, 4) ]
- [ cmp lt reg 1 0x21000000 ]
- [ cmp gt reg 1 0x2d000000 ]
+ [ cmp lt reg 1 0xe8800000 ]
+ [ cmp gt reg 1 0xc8af0000 ]
# ct expiration {33, 55, 67, 88}
__set%d test-ip4 3
__set%d test-ip4 0
- element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end]
+ element 000080e8 : 0 [end] element 0000d6d8 : 0 [end] element 000105b8 : 0 [end] element 000157c0 : 0 [end]
ip test-ip4 output
[ ct load expiration => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -235,7 +235,7 @@ ip test-ip4 output
# ct expiration {33-55}
__set%d test-ip4 7
__set%d test-ip4 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+ element 00000000 : 1 [end] element e8800000 : 0 [end] element d9d60000 : 1 [end]
ip test-ip4 output
[ ct load expiration => reg 1 ]
[ byteorder reg 1 = hton(reg 1, 4, 4) ]
--
2.1.4
next prev parent reply other threads:[~2016-07-08 13:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-06 12:53 [PATCH nf] netfilter: nft_ct: fix expiration getter Florian Westphal
2016-07-08 12:56 ` Pablo Neira Ayuso
2016-07-08 13:25 ` Pablo Neira Ayuso [this message]
2016-07-08 14:54 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160708132543.GA23868@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).