From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: Quan Tian <tianquan23@gmail.com>,
netfilter-devel@vger.kernel.org, kadlec@netfilter.org
Subject: Re: [PATCH v3 nf-next 2/2] netfilter: nf_tables: support updating userdata for nft_table
Date: Tue, 12 Mar 2024 23:23:56 +0100 [thread overview]
Message-ID: <ZfDV_AedKO-Si4-_@calendula> (raw)
In-Reply-To: <20240312143300.GF1529@breakpoint.cc>
On Tue, Mar 12, 2024 at 03:33:00PM +0100, Florian Westphal wrote:
> Quan Tian <tianquan23@gmail.com> wrote:
> > In nf_tables_commit():
> > The 1st trans swaps old udata with 1st new udata;
> > The 2nd trans swaps 1st new udata with 2nd new udata.
> >
> > In nft_commit_release():
> > The 1st trans frees old udata;
> > The 2nd trans frees 1st new udata.
> >
> > So multiple udata requests in a batch could work?
>
> Yes, it could work indeed but we got bitten by
> subtle bugs with back-to-back updates.
yes, we have seen subtle bugs recently. As for the table flags, the
dormant flag has been particularly a problem, it is tricky one because
it registers hooks from preparation step (which might fail) but it
cannot register hooks because abort path might need undo things, and
re-register the hooks could lead to failures from a later path which
does not admit failures. For the dormant flag, another possibility
would be to handle this from the core, so there is no need to register
and unregister hooks, instead simply set them as inactive.
The dormant flag use case is rather corner case, but hardware offload
will require sooner or later a mode to run in _hardware mode only_
(currently it is both hardware and software for nftables) and
considering the hardware offload API has been designed for packet
classifiers from the late 90s (that is, very strictly express your
policy in a linear ruleset) that means dropping packets early is fine,
but wanted traffic gets evaluated in a linear list.
> If there is a simple way to detect and reject
> this then I believe its better to disallow it.
That requires to iterate over the list of transaction, or add some
kind of flag to reject this.
> Unless you come up with a use-case where such back-to-back
> udate updates make sense of course.
I don't have a use-case for this table userdata myself, this is
currently only used to store comments by userspace, why someone would
be willing to update such comment associated to a table, I don't know.
I would like to know if there are plans to submit similar patches for
other objects. As for sets, this needs to be careful because userdata
contains the set description.
next prev parent reply other threads:[~2024-03-12 22:24 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-11 14:14 [PATCH v3 nf-next 1/2] netfilter: nf_tables: use struct nlattr * to store userdata for nft_table Quan Tian
2024-03-11 14:14 ` [PATCH v3 nf-next 2/2] netfilter: nf_tables: support updating " Quan Tian
2024-03-12 12:27 ` Florian Westphal
2024-03-12 12:49 ` Pablo Neira Ayuso
2024-03-12 13:01 ` Florian Westphal
2024-03-12 14:26 ` Quan Tian
2024-03-12 14:33 ` Florian Westphal
2024-03-12 22:23 ` Pablo Neira Ayuso [this message]
2024-03-13 1:35 ` Quan Tian
2024-03-13 9:40 ` Pablo Neira Ayuso
2024-03-13 17:08 ` Quan Tian
2024-03-12 14:36 ` Pablo Neira Ayuso
2024-03-12 13:49 ` Pablo Neira Ayuso
2024-03-12 14:02 ` Florian Westphal
2024-03-12 14:10 ` Florian Westphal
2024-03-12 14:30 ` Quan Tian
2024-03-12 14:05 ` [PATCH v3 nf-next 1/2] netfilter: nf_tables: use struct nlattr * to store " Florian Westphal
2024-03-12 14:17 ` Pablo Neira Ayuso
2024-03-12 14:34 ` Florian Westphal
2024-03-12 15:03 ` Quan Tian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZfDV_AedKO-Si4-_@calendula \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=tianquan23@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).