From: Jeremy Sowden <jeremy@azazel.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Arturo Borrero Gonzalez <arturo@debian.org>,
netfilter-devel@vger.kernel.org, fw@strlen.de, phil@nwl.cc
Subject: Re: [RFC] nftables 0.9.8 -stable backports
Date: Tue, 10 Oct 2023 21:08:38 +0100 [thread overview]
Message-ID: <20231010200838.GA1438255@celephais.dreamlands> (raw)
In-Reply-To: <ZSUPsdpvPNDOl8TY@calendula>
[-- Attachment #1: Type: text/plain, Size: 2674 bytes --]
On 2023-10-10, at 10:54:51 +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 09, 2023 at 01:36:29PM +0200, Pablo Neira Ayuso wrote:
> > This is a small batch offering fixes for nftables 0.9.8. It only
> > includes the fixes for the implicit chain regression in recent
> > kernels.
> >
> > This is a few dependency patches that are missing in 0.9.8 are
> > required:
> >
> > 3542e49cf539 ("evaluate: init cmd pointer for new on-stack context")
> > a3ac2527724d ("src: split chain list in table")
> > 4e718641397c ("cache: rename chain_htable to cache_chain_ht")
> >
> > a3ac2527724d is fixing an issue with the cache that is required by the
> > fixes. Then, the backport fixes for the implicit chain regression with
> > Linux -stable:
> >
> > 3975430b12d9 ("src: expand table command before evaluation")
> > 27c753e4a8d4 ("rule: expand standalone chain that contains rules")
> > 784597a4ed63 ("rule: add helper function to expand chain rules into commands")
> >
> > I tested with tests/shell at the time of the nftables 0.9.8 release
> > (*I did not use git HEAD tests/shell as I did for 1.0.6*).
> >
> > I have kept back the backport of this patch intentionally:
> >
> > 56c90a2dd2eb ("evaluate: expand sets and maps before evaluation")
> >
> > this depends on the new src/interval.c code, in 0.9.8 overlap and
> > automerge come a later stage and cache is not updated incrementally,
> > I tried the tests coming in this patch and it works fine.
> >
> > I did run a few more tests with rulesets that I have been collecting
> > from people that occasionally send them to me for my personal ruleset
> > repo.
> >
> > I: results: [OK] 266 [FAILED] 0 [TOTAL] 266
> >
> > This has been tested with latest Linux kernel 5.10 -stable.
>
> Amendment:
>
> I: results: [OK] 264 [FAILED] 2 [TOTAL] 266
>
> But this is because stateful expression in sets are not available in 5.10.
>
> W: [FAILED] ././testcases/sets/0059set_update_multistmt_0
> W: [FAILED] ././testcases/sets/0060set_multistmt_0
>
> and tests/shell in 0.9.8 has not feature detection support.
This is very helpful. Thanks.
My immediate interest is getting the implicit chain regression fixes
into Debian 11, so for that I'm going to cherry-pick:
4e718641397c ("cache: rename chain_htable to cache_chain_ht")
a3ac2527724d ("src: split chain list in table")
784597a4ed63 ("rule: add helper function to expand chain rules into commands")
27c753e4a8d4 ("rule: expand standalone chain that contains rules")
3975430b12d9 ("src: expand table command before evaluation")
J.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2023-10-10 20:09 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-09 10:44 [RFC] nftables 1.0.6 -stable backports Pablo Neira Ayuso
2023-10-09 10:50 ` Florian Westphal
2023-10-09 11:05 ` Arturo Borrero Gonzalez
2023-10-09 11:15 ` Florian Westphal
2023-10-09 11:41 ` Pablo Neira Ayuso
2023-10-10 8:39 ` Phil Sutter
2023-10-10 10:37 ` Pablo Neira Ayuso
2023-10-10 13:30 ` Phil Sutter
2023-10-10 11:53 ` Jan Engelhardt
2023-10-10 15:24 ` Arturo Borrero Gonzalez
2023-10-09 11:44 ` Jeremy Sowden
2023-10-09 11:36 ` [RFC] nftables 0.9.8 " Pablo Neira Ayuso
2023-10-09 11:50 ` Jeremy Sowden
2023-10-10 8:54 ` Pablo Neira Ayuso
2023-10-10 20:08 ` Jeremy Sowden [this message]
2023-10-10 22:21 ` Pablo Neira Ayuso
2023-10-11 9:46 ` Jeremy Sowden
2023-10-11 10:01 ` Pablo Neira Ayuso
2024-02-17 20:11 ` Jeremy Sowden
2024-02-18 13:56 ` Jeremy Sowden
2023-10-11 8:01 ` [RFC] nftables 1.0.6 " Pablo Neira Ayuso
2023-10-11 15:25 ` Phil Sutter
2023-10-11 15:49 ` Pablo Neira Ayuso
2023-10-19 14:27 ` Pablo Neira Ayuso
2023-10-19 15:23 ` Phil Sutter
2023-11-02 11:34 ` Pablo Neira Ayuso
2023-11-02 12:27 ` Phil Sutter
2023-11-02 21:23 ` Pablo Neira Ayuso
2023-11-03 9:59 ` Phil Sutter
2023-11-03 10:44 ` Phil Sutter
2023-11-03 10:49 ` Pablo Neira Ayuso
2023-11-03 10:56 ` Phil Sutter
2023-11-03 11:29 ` Pablo Neira Ayuso
2023-11-03 12:11 ` Pablo Neira Ayuso
2023-11-03 15:02 ` Phil Sutter
2023-11-03 15:15 ` Pablo Neira Ayuso
[not found] <20240218135600.GA4998@siaphelec.sdnalmaerd>
2024-02-20 12:27 ` [RFC] nftables 0.9.8 " Pablo Neira Ayuso
2024-02-20 12:44 ` Pablo Neira Ayuso
2024-02-25 11:49 ` Jeremy Sowden
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231010200838.GA1438255@celephais.dreamlands \
--to=jeremy@azazel.net \
--cc=arturo@debian.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).