From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: s.hanreich@proxmox.com, Florian Westphal <fw@strlen.de>
Subject: [PATCH nf 0/5] netfilter: nf_tables: fix false negative lookups with ongoing transaction
Date: Wed, 10 Sep 2025 10:02:17 +0200 [thread overview]
Message-ID: <20250910080227.11174-1-fw@strlen.de> (raw)
Stefan Hanreich reports spurious false negative results during set lookups
while another CPU is processing a transaction.
Quoting from the original bug report:
It seems like we've found an issue with atomicity when reloading
nftables rulesets. Sometimes there is a small window where rules
containing sets do not seem to apply to incoming traffic, due to the set
apparently being empty for a short amount of time when flushing / adding
elements.
Exanple ruleset:
table ip filter {
set match {
type ipv4_addr
flags interval
elements = { 0.0.0.0-192.168.2.19, 192.168.2.21-255.255.255.255 }
}
chain pre {
type filter hook prerouting priority filter; policy accept;
ip saddr @match accept
counter comment "must never match"
}
}
Reproducer transaction:
while true:
nft -f -<<EOF
flush set ip filter match
create element ip filter match { \
0.0.0.0-192.168.2.19, 192.168.2.21-255.255.255.255 }
EOF
done
Then create traffic. to/from e.g. 192.168.2.1 to 192.168.3.10.
Once in a while the counter will increment even though the
'ip saddr @match' rule should have accepted the packet.
This series resolves set inconsistencies that occur when a transaction
has entered the final commit phase. See individual patches for details.
Thanks to Stefan Hanreich for an initial description and reproducer for
this bug and to Pablo Neira Ayuso for reviewing earlier iterations of
this patchset.
Florian Westphal (5):
netfilter: nft_set_pipapo: don't check genbit from packetpath lookups
netfilter: nft_set_rbtree: continue traversal if element is inactive
netfilter: nf_tables: place base_seq in struct net
netfilter: nf_tables: make nft_set_do_lookup available unconditionally
netfilter: nf_tables: restart set lookup on base_seq change
include/net/netfilter/nf_tables.h | 1 -
include/net/netfilter/nf_tables_core.h | 10 +---
include/net/netns/nftables.h | 1 +
net/netfilter/nf_tables_api.c | 66 +++++++++++++-------------
net/netfilter/nft_lookup.c | 46 ++++++++++++++++--
net/netfilter/nft_set_pipapo.c | 20 +++++++-
net/netfilter/nft_set_pipapo_avx2.c | 4 +-
net/netfilter/nft_set_rbtree.c | 6 +--
8 files changed, 100 insertions(+), 54 deletions(-)
--
2.49.1
next reply other threads:[~2025-09-10 8:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-10 8:02 Florian Westphal [this message]
2025-09-10 8:02 ` [PATCH nf 1/5] netfilter: nft_set_pipapo: don't check genbit from packetpath lookups Florian Westphal
2025-09-10 8:02 ` [PATCH nf 2/5] netfilter: nft_set_rbtree: continue traversal if element is inactive Florian Westphal
2025-09-10 8:02 ` [PATCH nf 3/5] netfilter: nf_tables: place base_seq in struct net Florian Westphal
2025-09-10 8:02 ` [PATCH nf 4/5] netfilter: nf_tables: make nft_set_do_lookup available unconditionally Florian Westphal
2025-09-10 8:02 ` [PATCH nf 5/5] netfilter: nf_tables: restart set lookup on base_seq change Florian Westphal
2025-09-11 9:31 ` [PATCH nf 0/5] netfilter: nf_tables: fix false negative lookups with ongoing transaction Gabriel Goller
2025-09-11 11:02 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250910080227.11174-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=s.hanreich@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).