Re: nftables >= 0.9.8: atomic update (nft -f ...) of a set not possible any more

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Re: nftables >= 0.9.8: atomic update (nft -f ...) of a set not possible any more
       [not found] <5tg3b13w5.PCaY2G@prvy.eu>
@ 2022-01-04 19:57 ` Florian Westphal
  2022-01-04 23:22   ` Stefano Brivio
  0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2022-01-04 19:57 UTC (permalink / raw)
  To: etkaar; +Cc: netfilter, netfilter-devel, sbrivio

etkaar <lists.netfilter.org@prvy.eu> wrote:

[ CC Stefano ]

> Dear colleagues,
> 
> given is following perfectly working ruleset (nft list ruleset), which drops almost all of the IPv4 traffic, but grants access to port 22 (SSH) for two IPv4 addresses provided by the set named 'whitelist_ipv4_tcp':

Thanks for reporting, I can reproduce this.

> +++
> table inet filter {
> 	set whitelist_ipv4_tcp {
> 		type inet_service . ipv4_addr
> 		flags interval
> 		elements = { 22 . 111.222.333.444,
> 			     22 . 555.666.777.888 }
> 	}

I can repro this, looks like missing scratchpad cloning in the set
backend.

I can see that after second 'nft -f', avx2_lookup takes the 'if (unlikely(!scratch)) {' branch.

Can you try this (kernel) patch below?

As a workaround, you could try removing the 'interval' flag so that
kernel uses a hash table as set backend instead.

Stefano, does that patch make sense to you?
Thanks!

diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1271,7 +1271,7 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
 {
 	struct nft_pipapo_field *dst, *src;
 	struct nft_pipapo_match *new;
-	int i;
+	int i, err;
 
 	new = kmalloc(sizeof(*new) + sizeof(*dst) * old->field_count,
 		      GFP_KERNEL);
@@ -1291,6 +1291,14 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
 		goto out_scratch;
 #endif
 
+	err = pipapo_realloc_scratch(new, old->bsize_max);
+	if (err) {
+#ifdef NFT_PIPAPO_ALIGN
+		free_percpu(new->scratch_aligned);
+#endif
+		goto out_scratch;
+	}
+
 	rcu_head_init(&new->rcu);
 
 	src = old->f;

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: nftables >= 0.9.8: atomic update (nft -f ...) of a set not possible any more
  2022-01-04 19:57 ` nftables >= 0.9.8: atomic update (nft -f ...) of a set not possible any more Florian Westphal
@ 2022-01-04 23:22   ` Stefano Brivio
  0 siblings, 0 replies; 2+ messages in thread
From: Stefano Brivio @ 2022-01-04 23:22 UTC (permalink / raw)
  To: Florian Westphal; +Cc: etkaar, netfilter, netfilter-devel

Hi Florian,

On Tue, 4 Jan 2022 20:57:28 +0100
Florian Westphal <fw@strlen.de> wrote:

> etkaar <lists.netfilter.org@prvy.eu> wrote:
> 
> [ CC Stefano ]
> 
> > Dear colleagues,
> > 
> > given is following perfectly working ruleset (nft list ruleset), which drops almost all of the IPv4 traffic, but grants access to port 22 (SSH) for two IPv4 addresses provided by the set named 'whitelist_ipv4_tcp':  
> 
> Thanks for reporting, I can reproduce this.
> 
> > +++
> > table inet filter {
> > 	set whitelist_ipv4_tcp {
> > 		type inet_service . ipv4_addr
> > 		flags interval
> > 		elements = { 22 . 111.222.333.444,
> > 			     22 . 555.666.777.888 }
> > 	}  
> 
> I can repro this, looks like missing scratchpad cloning in the set
> backend.
> 
> I can see that after second 'nft -f', avx2_lookup takes the 'if (unlikely(!scratch)) {' branch.
> 
> Can you try this (kernel) patch below?
> 
> As a workaround, you could try removing the 'interval' flag so that
> kernel uses a hash table as set backend instead.
> 
> Stefano, does that patch make sense to you?
> Thanks!

Thanks for checking and fixing this!

Yes, it makes sense, a clone without a subsequent new insertion
wouldn't have a scratchpad otherwise -- I wonder how I missed this.
Just perhaps:

> diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
> --- a/net/netfilter/nft_set_pipapo.c
> +++ b/net/netfilter/nft_set_pipapo.c
> @@ -1271,7 +1271,7 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
>  {
>  	struct nft_pipapo_field *dst, *src;
>  	struct nft_pipapo_match *new;
> -	int i;
> +	int i, err;
>  
>  	new = kmalloc(sizeof(*new) + sizeof(*dst) * old->field_count,
>  		      GFP_KERNEL);
> @@ -1291,6 +1291,14 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
>  		goto out_scratch;
>  #endif
>  
> +	err = pipapo_realloc_scratch(new, old->bsize_max);
> +	if (err) {
> +#ifdef NFT_PIPAPO_ALIGN
> +		free_percpu(new->scratch_aligned);
> +#endif

I would use another label for this, "out_scratch_aligned", for
consistency with the rest of the error handling, but it's not a strong
preference.

> +		goto out_scratch;
> +	}
> +
>  	rcu_head_init(&new->rcu);
>  
>  	src = old->f;
> 

-- 
Stefano


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-01-04 23:22 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <5tg3b13w5.PCaY2G@prvy.eu>
2022-01-04 19:57 ` nftables >= 0.9.8: atomic update (nft -f ...) of a set not possible any more Florian Westphal
2022-01-04 23:22   ` Stefano Brivio

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).