* [PATCH net 0/3] Netfilter/IPVS fixes for net
@ 2022-12-13 14:09 Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-13 14:09 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains fixes for Netfilter/IPVS:
1) Fix NAT IPv6 flowtable hardware offload, from Qingfang DENG.
2) Add a safety check to IPVS socket option interface report a
warning if unsupported command is seen, this. From Li Qiong.
3) Document SCTP conntrack timeouts, from Sriram Yagnaraman.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit f8bac7f9fdb0017b32157957ffffd490f95faa07:
net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() (2022-12-08 09:38:31 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to f9645abe4255bd79e4c63799634c996dd53db321:
netfilter: conntrack: document sctp timeouts (2022-12-13 12:25:45 +0100)
----------------------------------------------------------------
Li Qiong (1):
ipvs: add a 'default' case in do_ip_vs_set_ctl()
Qingfang DENG (1):
netfilter: flowtable: really fix NAT IPv6 offload
Sriram Yagnaraman (1):
netfilter: conntrack: document sctp timeouts
Documentation/networking/nf_conntrack-sysctl.rst | 33 ++++++++++++++++++++++++
net/netfilter/ipvs/ip_vs_ctl.c | 5 ++++
net/netfilter/nf_flow_table_offload.c | 6 ++---
3 files changed, 41 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload
2022-12-13 14:09 [PATCH net 0/3] Netfilter/IPVS fixes for net Pablo Neira Ayuso
@ 2022-12-13 14:09 ` Pablo Neira Ayuso
2022-12-14 4:00 ` patchwork-bot+netdevbpf
2022-12-13 14:09 ` [PATCH net 2/3] ipvs: add a 'default' case in do_ip_vs_set_ctl() Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 3/3] netfilter: conntrack: document sctp timeouts Pablo Neira Ayuso
2 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-13 14:09 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Qingfang DENG <dqfext@gmail.com>
The for-loop was broken from the start. It translates to:
for (i = 0; i < 4; i += 4)
which means the loop statement is run only once, so only the highest
32-bit of the IPv6 address gets mangled.
Fix the loop increment.
Fixes: 0e07e25b481a ("netfilter: flowtable: fix NAT IPv6 offload mangling")
Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support")
Signed-off-by: Qingfang DENG <dqfext@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_flow_table_offload.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 0fdcdb2c9ae4..4d9b99abe37d 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -383,12 +383,12 @@ static void flow_offload_ipv6_mangle(struct nf_flow_rule *flow_rule,
const __be32 *addr, const __be32 *mask)
{
struct flow_action_entry *entry;
- int i, j;
+ int i;
- for (i = 0, j = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32), j++) {
+ for (i = 0; i < sizeof(struct in6_addr) / sizeof(u32); i++) {
entry = flow_action_entry_next(flow_rule);
flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP6,
- offset + i, &addr[j], mask);
+ offset + i * sizeof(u32), &addr[i], mask);
}
}
--
2.30.2
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload
2022-12-13 14:09 ` [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload Pablo Neira Ayuso
@ 2022-12-14 4:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-12-14 4:00 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba, pabeni, edumazet
Hello:
This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:
On Tue, 13 Dec 2022 15:09:21 +0100 you wrote:
> From: Qingfang DENG <dqfext@gmail.com>
>
> The for-loop was broken from the start. It translates to:
>
> for (i = 0; i < 4; i += 4)
>
> which means the loop statement is run only once, so only the highest
> 32-bit of the IPv6 address gets mangled.
>
> [...]
Here is the summary with links:
- [net,1/3] netfilter: flowtable: really fix NAT IPv6 offload
https://git.kernel.org/netdev/net/c/5fb45f95eec6
- [net,2/3] ipvs: add a 'default' case in do_ip_vs_set_ctl()
https://git.kernel.org/netdev/net/c/ba57ee0944ff
- [net,3/3] netfilter: conntrack: document sctp timeouts
https://git.kernel.org/netdev/net/c/f9645abe4255
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH net 2/3] ipvs: add a 'default' case in do_ip_vs_set_ctl()
2022-12-13 14:09 [PATCH net 0/3] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload Pablo Neira Ayuso
@ 2022-12-13 14:09 ` Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 3/3] netfilter: conntrack: document sctp timeouts Pablo Neira Ayuso
2 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-13 14:09 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Li Qiong <liqiong@nfschina.com>
It is better to return the default switch case with
'-EINVAL', in case new commands are added. otherwise,
return a uninitialized value of ret.
Signed-off-by: Li Qiong <liqiong@nfschina.com>
Reviewed-by: Simon Horman <horms@verge.net.au>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipvs/ip_vs_ctl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 988222fff9f0..97f6a1c8933a 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2590,6 +2590,11 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, sockptr_t ptr, unsigned int len)
break;
case IP_VS_SO_SET_DELDEST:
ret = ip_vs_del_dest(svc, &udest);
+ break;
+ default:
+ WARN_ON_ONCE(1);
+ ret = -EINVAL;
+ break;
}
out_unlock:
--
2.30.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH net 3/3] netfilter: conntrack: document sctp timeouts
2022-12-13 14:09 [PATCH net 0/3] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 2/3] ipvs: add a 'default' case in do_ip_vs_set_ctl() Pablo Neira Ayuso
@ 2022-12-13 14:09 ` Pablo Neira Ayuso
2 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-13 14:09 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Exposed through sysctl, update documentation to describe sctp states and
their default timeouts.
Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
.../networking/nf_conntrack-sysctl.rst | 33 +++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/Documentation/networking/nf_conntrack-sysctl.rst b/Documentation/networking/nf_conntrack-sysctl.rst
index 1120d71f28d7..49db1d11d7c4 100644
--- a/Documentation/networking/nf_conntrack-sysctl.rst
+++ b/Documentation/networking/nf_conntrack-sysctl.rst
@@ -163,6 +163,39 @@ nf_conntrack_timestamp - BOOLEAN
Enable connection tracking flow timestamping.
+nf_conntrack_sctp_timeout_closed - INTEGER (seconds)
+ default 10
+
+nf_conntrack_sctp_timeout_cookie_wait - INTEGER (seconds)
+ default 3
+
+nf_conntrack_sctp_timeout_cookie_echoed - INTEGER (seconds)
+ default 3
+
+nf_conntrack_sctp_timeout_established - INTEGER (seconds)
+ default 432000 (5 days)
+
+nf_conntrack_sctp_timeout_shutdown_sent - INTEGER (seconds)
+ default 0.3
+
+nf_conntrack_sctp_timeout_shutdown_recd - INTEGER (seconds)
+ default 0.3
+
+nf_conntrack_sctp_timeout_shutdown_ack_sent - INTEGER (seconds)
+ default 3
+
+nf_conntrack_sctp_timeout_heartbeat_sent - INTEGER (seconds)
+ default 30
+
+ This timeout is used to setup conntrack entry on secondary paths.
+ Default is set to hb_interval.
+
+nf_conntrack_sctp_timeout_heartbeat_acked - INTEGER (seconds)
+ default 210
+
+ This timeout is used to setup conntrack entry on secondary paths.
+ Default is set to (hb_interval * path_max_retrans + rto_max)
+
nf_conntrack_udp_timeout - INTEGER (seconds)
default 30
--
2.30.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH net 0/3] Netfilter/IPVS fixes for net
@ 2025-03-12 23:18 Pablo Neira Ayuso
0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2025-03-12 23:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw, horms
Hi,
The following patchset contains Netfilter/IPVS fixes for net:
1) Missing initialization of cpu and jiffies32 fields in conncount,
from Kohei Enju.
2) Skip several tests in case kernel is tainted, otherwise tests bogusly
report failure too as they also check for tainted kernel,
from Florian Westphal.
3) Fix a hyphothetical integer overflow in do_ip_vs_get_ctl() leading
to bogus error logs, from Dan Carpenter.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-03-12
Thanks.
----------------------------------------------------------------
The following changes since commit 77b2ab31fc65c595ca0a339f6c5b8ef3adfae5c6:
MAINTAINERS: sfc: remove Martin Habets (2025-03-10 13:34:15 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-03-12
for you to fetch changes up to 80b78c39eb86e6b55f56363b709eb817527da5aa:
ipvs: prevent integer overflow in do_ip_vs_get_ctl() (2025-03-12 15:48:26 +0100)
----------------------------------------------------------------
netfilter pull request 25-03-12
----------------------------------------------------------------
Dan Carpenter (1):
ipvs: prevent integer overflow in do_ip_vs_get_ctl()
Florian Westphal (1):
selftests: netfilter: skip br_netfilter queue tests if kernel is tainted
Kohei Enju (1):
netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()
net/netfilter/ipvs/ip_vs_ctl.c | 8 ++++----
net/netfilter/nf_conncount.c | 2 ++
tools/testing/selftests/net/netfilter/br_netfilter.sh | 7 +++++++
tools/testing/selftests/net/netfilter/br_netfilter_queue.sh | 7 +++++++
tools/testing/selftests/net/netfilter/nft_queue.sh | 1 +
5 files changed, 21 insertions(+), 4 deletions(-)
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-03-12 23:18 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-13 14:09 [PATCH net 0/3] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 1/3] netfilter: flowtable: really fix NAT IPv6 offload Pablo Neira Ayuso
2022-12-14 4:00 ` patchwork-bot+netdevbpf
2022-12-13 14:09 ` [PATCH net 2/3] ipvs: add a 'default' case in do_ip_vs_set_ctl() Pablo Neira Ayuso
2022-12-13 14:09 ` [PATCH net 3/3] netfilter: conntrack: document sctp timeouts Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2025-03-12 23:18 [PATCH net 0/3] Netfilter/IPVS fixes for net Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).