From: Florian Westphal <fw@strlen.de>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, Lorenzo Bianconi <lorenzo@kernel.org>
Subject: Re: [PATCH RFC] netfilter: nf_tables: add flowtable map for xdp offload
Date: Thu, 2 Nov 2023 09:30:42 +0100 [thread overview]
Message-ID: <20231102083042.GB6174@breakpoint.cc> (raw)
In-Reply-To: <20231019202507.16439-1-fw@strlen.de>
Florian Westphal <fw@strlen.de> wrote:
> This adds a small internal mapping table so that a new bpf (xdp) kfunc
> A device cannot be added to multiple flowtables, the mapping needs
> to be unique.
This breaks two cases:
1. Two-Phase commmit protocol:
nft -f - <<EOF
flush ruleset
table t {
flowtable ...
EOF
fails when called a 2nd time. This problem also exists
for at least the mlx hw offload too.
It would be good to fix this generically but I do not see
how given this problem is nftables specific and not really
flowtable related.
2. currently nftables supports
table ip t {
flowtable f {
devices = { eth0 ...
table ip6 t {
flowtable f {
devices = { eth0 ...
table inet t {
flowtable f {
devices = { eth0 ...
... and this works, i.e. same device can be part of
up to 6 flowtables.
This one is easier to fix, the program can guess ip/ip6
based to packet data and can a family to the kfunc as a
function argument.
inet would be shadowed / hidden when an ip/ip6 flowtable
mapping exists as well.
This is not nice, but the ip(6) and inet thing should
not occur in practice and nothing breaks here because
existing sw path is still going to work.
> +static int nf_flow_offload_xdp_setup(struct nf_flowtable *flowtable,
> + struct net_device *dev,
> + enum flow_block_command cmd)
> +{
> + switch (cmd) {
> + case FLOW_BLOCK_BIND:
> + return nf_flowtable_by_dev_insert(flowtable, dev);
This is fine or at least can be made to work.
> + case FLOW_BLOCK_UNBIND:
> + nf_flowtable_by_dev_remove(dev);
This is broken. UNBIND comes too late when things are torn down.
I only see two solutions:
1. add a new nf_flow_offload_unbind_prepare() that does this
2. Decouple nf_flowtable from nft_flowtable and make nf_flowtable
refcounted. As-is, the UNBIND will result in UAF because the
underlying structures will be free'd immediately after this,
without any synchronize_rcu().
next prev parent reply other threads:[~2023-11-02 8:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-19 20:25 [PATCH RFC] netfilter: nf_tables: add flowtable map for xdp offload Florian Westphal
2023-10-23 10:33 ` Lorenzo Bianconi
2023-10-23 11:16 ` Florian Westphal
2023-11-02 8:30 ` Florian Westphal [this message]
2023-11-09 11:09 ` Florian Westphal
2023-11-02 10:49 ` Toke Høiland-Jørgensen
2023-11-02 10:54 ` Florian Westphal
2023-11-02 11:07 ` Toke Høiland-Jørgensen
2023-11-02 11:11 ` Florian Westphal
2023-11-02 11:07 ` Florian Westphal
2023-11-02 11:25 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231102083042.GB6174@breakpoint.cc \
--to=fw@strlen.de \
--cc=lorenzo@kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).