From: Phil Sutter <phil@nwl.cc>
To: netfilter-devel@vger.kernel.org
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Florian Westphal <fw@strlen.de>,
igor@gooddata.com
Subject: Re: [iptables PATCH 0/3] Follow-up on dangling set fix
Date: Fri, 28 Jul 2023 11:37:12 +0200 [thread overview]
Message-ID: <ZMOMSHrTOMXgGLpy@orbyte.nwl.cc> (raw)
In-Reply-To: <20230715125928.18395-1-phil@nwl.cc>
On Sat, Jul 15, 2023 at 02:59:25PM +0200, Phil Sutter wrote:
> While testing/analyzing the changes in commit 4e95200ded923, I noticed
> comparison of rules containing among matches was not behaving right. In
> fact, most part of the among match data was ignored when comparing, due
> to the way among extension scales its payload. This problem exists since
> day 1 of the extension implementation for ebtables-nft. Patch 1 fixes
> this by placing a hash of the "invisible" data in well-known space.
>
> Patch 2 is a minor cleanup of commit 4e95200ded923, eliminating some
> ineffective function signature changes.
>
> Patch 3 adds set (with element) dumps to debug output.
>
> Note about 4e95200ded923 itself: I don't quite like the approach of
> conditionally converting a rule into libnftnl format using only compat
> expressions for extensions. I am aware my proposed compatibility mode
> does the same, but it's a global switch changing add_match() behaviour
> consistently. What the commit above does works only because for rule
> comparison, both rules are converted back into iptables_command_state
> objects. I'd like to follow an alternative path of delaying the
> rule conversion so that it does not happen in nft_cmd_new() but later
> from nft_action() (or so). This should eliminate some back-and-forth and
> also implicitly fix the case of needless set creation.
>
> Phil Sutter (3):
> extensions: libebt_among: Fix for false positive match comparison
> nft: Do not pass nft_rule_ctx to add_nft_among()
> nft: Include sets in debug output
Applied the last two patches of this series. Patch 1 turned out to be
ineffective (due to frequent collisions). A proper solution is contained
in commit 10583537004f7 ("nft: Special casing for among match in
compare_matches()").
prev parent reply other threads:[~2023-07-28 9:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-15 12:59 [iptables PATCH 0/3] Follow-up on dangling set fix Phil Sutter
2023-07-15 12:59 ` [iptables PATCH 1/3] extensions: libebt_among: Fix for false positive match comparison Phil Sutter
2023-07-17 11:07 ` Pablo Neira Ayuso
2023-07-17 16:23 ` Phil Sutter
2023-07-21 9:59 ` Phil Sutter
2023-07-21 13:56 ` Pablo Neira Ayuso
2023-07-21 14:41 ` Phil Sutter
2023-07-15 12:59 ` [iptables PATCH 2/3] nft: Do not pass nft_rule_ctx to add_nft_among() Phil Sutter
2023-07-15 12:59 ` [iptables PATCH 3/3] nft: Include sets in debug output Phil Sutter
2023-07-28 9:37 ` Phil Sutter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZMOMSHrTOMXgGLpy@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=igor@gooddata.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).