Re: [net-next, RFC, 4/8] net: core: add recycle capabilities on skbs via page_pool API

2018-12-08 Thread Florian Westphal
Jesper Dangaard Brouer wrote: > From: Ilias Apalodimas > > This patch is changing struct sk_buff, and is thus per-definition > controversial. > > Place a new member 'mem_info' of type struct xdp_mem_info, just after > members (flags) head_frag and pfmemalloc, And not in between >

[PATCH ipsec-next] xfrm: policy: fix policy hash rebuild

2018-11-27 Thread Florian Westphal
Otherwise, the inexact policies won't be found anymore during lookup, as they get hashed to a bogus bin. Reported-by: Dan Carpenter Fixes: cc1bb845adc9 ("xfrm: policy: return NULL when inexact search needed") Signed-off-by: Florian Westphal --- net/xfrm/xfrm_policy.c | 9 +

Re: [RFC PATCH 0/3] sk_buff: add skb extension infrastructure

2018-11-26 Thread Florian Westphal
David Miller wrote: > From: Florian Westphal > Date: Mon, 26 Nov 2018 22:19:33 +0100 > > >> In the future please document what is so enormous and absolutely > >> required that they must put it all into the SKB control block. > > > > Ok, will do. >

Re: [RFC PATCH 0/3] sk_buff: add skb extension infrastructure

2018-11-26 Thread Florian Westphal
David Miller wrote: > > This adds an extension infrastructure for sk_buff instead: > > 1. extension memory is released when the sk_buff is free'd. > > 2. data is shared after cloning an skb. > > 3. adding extension to an skb will COW the extension > >buffer if needed. > > So MP-TCP, when

[RFC PATCH 3/3] net: convert bridge_nf to use skb extension infrastructure

2018-11-26 Thread Florian Westphal
. Signed-off-by: Florian Westphal --- include/linux/netfilter_bridge.h | 4 ++-- include/linux/skbuff.h | 28 ++-- include/net/netfilter/br_netfilter.h | 8 net/Kconfig | 1 + net/bridge/br_netfilter_hooks.c | 20

[RFC PATCH 0/3] sk_buff: add skb extension infrastructure

2018-11-26 Thread Florian Westphal
The (out-of-tree) Multipath-TCP implementation needs a significant amount of extra space in the skb control buffer. Increasing skb->cb[] size in mainline is a non-starter for memory and and performance reasons (f.e. increase in cb size also moves several frequently-accessed fields to other cache

[RFC PATCH 1/3] netfilter: avoid using skb->nf_bridge directly

2018-11-26 Thread Florian Westphal
plan is to remove this pointer from sk_buff, so use the existing helpers in more places to reduce noise later on. Signed-off-by: Florian Westphal --- include/linux/netfilter_bridge.h | 33 +- include/net/netfilter/br_netfilter.h | 6 net/bridge/br_netfilter_hooks.c

[RFC PATCH 2/3] sk_buff: add skb extension infrastructure

2018-11-26 Thread Florian Westphal
gt;sp (ipsec/xfrm secpath) to an skb extension is planned as a followup. Signed-off-by: Florian Westphal --- include/linux/skbuff.h | 124 +- net/Kconfig| 3 + net/core/skbuff.c | 131 + net/ipv4/ip_outp

[PATCH ipsec-next] xfrm: policy: fix netlink/pf_key policy lookups

2018-11-14 Thread Florian Westphal
bypassed ipsec tunnel PASS: direct policy matches PASS: policy matches 1 Fixes: 6be3b0db6db ("xfrm: policy: add inexact policy search tree infrastructure") Reported-by: Colin Ian King Signed-off-by: Florian Westphal --- net/xfrm/xfrm_policy.c | 5 ++- tools/testing

Re: xfrm: policy: add inexact policy search tree infrastructure

2018-11-14 Thread Florian Westphal
Colin Ian King wrote: > Hi, > > Static analysis with CoverityScan found a potential issue with the commit: > > commit 6be3b0db6db82cf056a72cc18042048edd27f8ee > Author: Florian Westphal > Date: Wed Nov 7 23:00:37 2018 +0100 > > xfrm: policy: add inexact policy

[PATCH ipsec-next 05/11] xfrm: policy: store inexact policies in an rhashtable

2018-11-07 Thread Florian Westphal
would have to search all hash buckets and then figure out which matching policy candidate is the most recent one -- this appears a bit harder than just keeping the 'old' inexact list for this purpose. Signed-off-by: Florian Westphal --- include/net/netns/xfrm.h | 2 + include/net/xfrm.h | 1

[PATCH ipsec-next 04/11] xfrm: policy: return NULL when inexact search needed

2018-11-07 Thread Florian Westphal
when this happens, but future patch can then implement a different strategy. Signed-off-by: Florian Westphal --- net/xfrm/xfrm_policy.c | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 20d6815be0d7

[PATCH ipsec-next 07/11] xfrm: policy: add inexact policy search tree infrastructure

2018-11-07 Thread Florian Westphal
policies into a tree. This only introduces a single class: any:any. Next patch will add a search tree to pre-sort policies that have a fixed daddr/prefixlen, so in this patch the any:any class will still be used for all policies. Signed-off-by: Florian Westphal --- include/net/xfrm.h | 1 + net

[PATCH ipsec-next 10/11] xfrm: policy: store inexact policies in a tree ordered by source address

2018-11-07 Thread Florian Westphal
This adds the 'saddr:any' search class. It contains all policies that have a fixed saddr/prefixlen, but 'any' destination. Signed-off-by: Florian Westphal --- net/xfrm/xfrm_policy.c | 46 ++ 1 file changed, 42 insertions(+), 4 deletions(-) diff --git

[PATCH ipsec-next 06/11] xfrm: policy: consider if_id when hashing inexact policy

2018-11-07 Thread Florian Westphal
This avoids searches of polices that cannot match in the first place due to different interface id by placing them in different bins. Signed-off-by: Florian Westphal --- net/xfrm/xfrm_policy.c | 25 - 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/net

[PATCH ipsec-next 01/11] selftests: add xfrm policy test script

2018-11-07 Thread Florian Westphal
he tunnel. Abuses iptables to check if ping did resolve an ipsec policy or not. Also adds a bunch of 'block' rules that are not supposed to match. Signed-off-by: Florian Westphal --- tools/testing/selftests/net/Makefile | 3 +- tools/testing/selftests/net/xfrm_policy.sh | 276 +++

[PATCH ipsec-next 09/11] xfrm: policy: check reinserted policies match their node

2018-11-07 Thread Florian Westphal
/28 because a overlapping subnet was added (e.g. 10.0.0.0/24), so whenever this happens existing policies have to be placed on the list of the new node. Signed-off-by: Florian Westphal --- net/xfrm/xfrm_policy.c | 32 1 file changed, 32 insertions(+) diff --git

[PATCH ipsec-next 00/11] xfrm: policy: add inexact policy search tree

2018-11-07 Thread Florian Westphal
t prevent us from re-adding a new flow caching scheme, but so far i found no good solution (all have various DoS or degradation issues). Comments or questions welcome. Florian Westphal (11): selftests: add xfrm policy test script xfrm: security: iterate all, not inexact lists xf

[PATCH ipsec-next 08/11] xfrm: policy: store inexact policies in a tree ordered by destination address

2018-11-07 Thread Florian Westphal
avoid placing those on the 'any:any' list too. Signed-off-by: Florian Westphal --- include/net/xfrm.h | 1 + net/xfrm/xfrm_policy.c | 333 - 2 files changed, 328 insertions(+), 6 deletions(-) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index

[PATCH ipsec-next 11/11] xfrm: policy: add 2nd-level saddr trees for inexact policies

2018-11-07 Thread Florian Westphal
for the policy with the higher priority. This will only speed up lookups in case we have many policies and a sizeable portion of these have disjunct saddr/daddr addresses. Signed-off-by: Florian Westphal --- net/xfrm/xfrm_policy.c | 118 + 1 file changed,

[PATCH ipsec-next 03/11] xfrm: policy: split list insertion into a helper

2018-11-07 Thread Florian Westphal
... so we can reuse this later without code duplication when we add policy to a second inexact list. Signed-off-by: Florian Westphal --- net/xfrm/xfrm_policy.c | 43 ++ 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/net/xfrm/xfrm_policy.c

[PATCH ipsec-next 02/11] xfrm: security: iterate all, not inexact lists

2018-11-07 Thread Florian Westphal
or sorted into a tree), this walk would become more complicated. Simplify this: walk the 'all' list and skip socket policies during traversal so we don't need to handle exact and inexact policies separately anymore. Signed-off-by: Florian Westphal --- net/xfrm/xfrm_pol

Re: Attribute failed policy validation

2018-10-24 Thread Florian Westphal
Marco Berizzi wrote: [ CC David ] > root@Calimero:~# tc qdisc add dev eth0 root handle 1:0 hfsc default 1 > Error: Attribute failed policy validation. caused by: commit 8b4c3cdd9dd8290343ce959a132d3b334062c5b9 net: sched: Add policy validation for tc attributes Looks like TCA_OPTIONS is

Re: crash in xt_policy due to skb_dst_drop() in nf_ct_frag6_gather()

2018-10-16 Thread Florian Westphal
Maciej ┼╗enczykowski wrote: I am currently travelling and not able to investigate until next week. > commit ad8b1ffc3efae2f65080bdb11145c87d299b8f9a > Author: Florian Westphal > netfilter: ipv6: nf_defrag: drop skb dst before queueing > > +++ b/net/ipv6/netfilter/nf_co

[PATCH ipsec] xfrm: policy: use hlist rcu variants on insert

2018-10-10 Thread Florian Westphal
bydst table/list lookups use rcu, so insertions must use rcu versions. Fixes: a7c44247f704e ("xfrm: policy: make xfrm_policy_lookup_bytype lockless") Signed-off-by: Florian Westphal --- net/xfrm/xfrm_policy.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git

Re: [PATCH ipsec] net: xfrm: pass constant family to nf_hook function

2018-09-21 Thread Florian Westphal
David Ahern wrote: > On 9/21/18 8:55 AM, Florian Westphal wrote: > > David Ahern wrote: > >>> David, i hope this will silence the warning, would be nice > >>> if you could test it. > >> > >> I still the warning. > > > > Wait. Do

Re: [PATCH ipsec] net: xfrm: pass constant family to nf_hook function

2018-09-21 Thread Florian Westphal
David Ahern wrote: > > David, i hope this will silence the warning, would be nice > > if you could test it. > > I still the warning. Wait. Do you see this warning everywhere or just in xfrm?

[PATCH ipsec] net: xfrm: pass constant family to nf_hook function

2018-09-21 Thread Florian Westphal
vid Ahern Signed-off-by: Florian Westphal --- David, i hope this will silence the warning, would be nice if you could test it. I don't really like this patch, but I see no better solution expect needless increase of hooks_arp[]. Any other idea? net/xfrm/xfrm_output.c |

Re: array bounds warning in xfrm_output_resume

2018-09-20 Thread Florian Westphal
David Ahern wrote: > > $ make O=kbuild/perf -j 24 -s > > In file included from /home/dsa/kernel-3.git/include/linux/kernel.h:10:0, > > from /home/dsa/kernel-3.git/include/linux/list.h:9, > > from /home/dsa/kernel-3.git/include/linux/module.h:9, > >

Re: array bounds warning in xfrm_output_resume

2018-09-19 Thread Florian Westphal
David Ahern wrote: > > I believe ef57170bbfdd6 is the commit that introduced the warning > > > > Hi Florian: > > I am still seeing this. I realize the compiler is not understanding the > conditions properly, but it is a distraction every time I do a kernel > build on Debian Stretch having to

[PATCH net] tcp: do not restart timewait timer on rst reception

2018-08-30 Thread Florian Westphal
moved/lost in 1f28b683339f7 ("Merge in TCP/UDP optimizations and [..]") and timer restart became unconditional. Reported-by: Michal Tesar Signed-off-by: Florian Westphal --- net/ipv4/tcp_minisocks.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv4/tcp_mi

Re: Linux kernel error stack

2018-08-05 Thread Florian Westphal
Michal Kubecek wrote: > On Mon, Aug 06, 2018 at 01:15:37AM +0200, Florian Westphal wrote: > > Michal Kubecek wrote: > > > Oops, exactly this issue was already discussed almost a year ago: > > > > > > http://lkml.kernel.org/r/20170824104824.2c318a0...@unicor

Re: Linux kernel error stack

2018-08-05 Thread Florian Westphal
Michal Kubecek wrote: > Oops, exactly this issue was already discussed almost a year ago: > > http://lkml.kernel.org/r/20170824104824.2c318a0...@unicorn.suse.cz > > But something more urgent came and I forgot to get back to it. :-( I did not even remeber, thanks for the pointer. So I think

Re: Linux kernel error stack

2018-08-05 Thread Florian Westphal
Satish Patel wrote: > Florian, > > It seems those rules coming from here > https://github.com/openstack/openstack-ansible-os_neutron/blob/master/files/post-up-metadata-checksum This is crazy, and, as you found, it doesn't even do what they seem to think it does. I see no reason for these rules

Re: Linux kernel error stack

2018-08-05 Thread Florian Westphal
Satish Patel wrote: > After reading further related DHCP checksum issue, it seems we need > that rules when you running DHCP on same host machine where your guest > using host DHCP service, in that case virtual nic won't do checksum. > If your DHCP running on different host then your physical nic

Re: Linux kernel error stack

2018-08-05 Thread Florian Westphal
Satish Patel wrote: > > [84166:59495417] -A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM > > --checksum-fill > > [68739:5153476] -A POSTROUTING -p tcp -m tcp --sport 8000 -j CHECKSUM > > --checksum-fill These rules make no sense to me, and are also source of your backtrace. Who set this up?

Re: Linux kernel error stack

2018-08-05 Thread Florian Westphal
Satish Patel wrote: > Thanks Florian, > > FYI, I don't have any CHECKSUM configure in my iptables, You have, according to WARN stacktrace you provided. iptables-save -c ip6tables-save -c

Re: Linux kernel error stack

2018-08-05 Thread Florian Westphal
Satish Patel wrote: > I am installing openstack and as you know i have lots of bridges and > vlan interface on my Linux CentOS 7.5 > > I was getting following error stack on 3.10 kernel and found this is > kernel bug which required kernel upgrade so now i have upgraded my > kernel to 4.17.12 but

[PATCH net-next v3] ipv6: defrag: drop non-last frags smaller than min mtu

2018-08-02 Thread Florian Westphal
e concerns that there could be even smaller frags generated by intermediate nodes, e.g. on radio networks. Cc: Peter Oskolkov Cc: Eric Dumazet Signed-off-by: Florian Westphal --- net/ipv6/netfilter/nf_conntrack_reasm.c | 4 net/ipv6/reassembly.c | 4 2 files

[PATCH nf-next v2 1/1] ipv6: defrag: drop non-last frags smaller than min mtu

2018-08-02 Thread Florian Westphal
generated by intermediate nodes, e.g. on radio networks. Cc: Peter Oskolkov Cc: Eric Dumazet Signed-off-by: Florian Westphal --- net/ipv6/netfilter/nf_conntrack_reasm.c | 4 net/ipv6/reassembly.c | 4 2 files changed, 8 insertions(+) diff --git a/net/ipv6

[PATCH net-next] inet: defrag: drop non-last frags smaller than min mtu

2018-08-02 Thread Florian Westphal
: Eric Dumazet Signed-off-by: Florian Westphal --- net/ipv4/ip_fragment.c | 5 + net/ipv6/netfilter/nf_conntrack_reasm.c | 4 net/ipv6/reassembly.c | 4 3 files changed, 13 insertions(+) diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c

Re: [PATCH net] inet: frag: enforce memory limits earlier

2018-07-31 Thread Florian Westphal
Jann Horn wrote: > On Tue, Jul 31, 2018 at 7:54 AM Florian Westphal wrote: > > > > Eric Dumazet wrote: > > > We currently check current frags memory usage only when > > > a new frag queue is created. This allows attackers to first > > > consume t

Re: [PATCH net] inet: frag: enforce memory limits earlier

2018-07-30 Thread Florian Westphal
Eric Dumazet wrote: > We currently check current frags memory usage only when > a new frag queue is created. This allows attackers to first > consume the memory budget (default : 4 MB) creating thousands > of frag queues, then sending tiny skbs to exceed high_thresh > limit by 2 to 3 order of

[PATCH net-next] netlink: do not store start function in netlink_cb

2018-07-24 Thread Florian Westphal
->start() is called once when dump is being initialized, there is no need to store it in netlink_cb. Signed-off-by: Florian Westphal --- include/linux/netlink.h | 1 - net/netlink/af_netlink.c | 5 ++--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/include/linux/netlink.

Re: [PATCH] netfilter: avoid stalls in nf_ct_alloc_hashtable

2018-07-24 Thread Florian Westphal
Li RongQing wrote: > when system forks a process with CLONE_NEWNET flag under the > high memory pressure, it will trigger memory reclaim and stall > for a long time because nf_ct_alloc_hashtable need to allocate > high-order memory at that time. The calltrace as below: >

[PATCH net] atl1c: reserve min skb headroom

2018-07-20 Thread Florian Westphal
der) got pulled, but then 16 are copied. Reserve NET_SKB_PAD bytes headroom, like netdev_alloc_skb(). Compile tested only; I lack hardware. Fixes: 7b7017642199 ("atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring") Signed-off-by: Florian Westphal --- diff --git a/drivers/net/eth

Re: [PATCH v4 net-next 7/9] net: ipv4: listified version of ip_rcv

2018-07-03 Thread Florian Westphal
Pablo Neira Ayuso wrote: > On Mon, Jul 02, 2018 at 04:14:12PM +0100, Edward Cree wrote: > > Also involved adding a way to run a netfilter hook over a list of packets. > > Rather than attempting to make netfilter know about lists (which would be > > a major project in itself) we just let it call

Re: [RFC PATCH v2 net-next 07/12] net: ipv4: listified version of ip_rcv

2018-06-27 Thread Florian Westphal
Edward Cree wrote: > Also involved adding a way to run a netfilter hook over a list of packets. > Rather than attempting to make netfilter know about lists (which would be > a major project in itself) we just let it call the regular okfn (in this > case ip_rcv_finish()) for any packets it

[PATCH v2 ipsec-next] xfrm: policy: remove pcpu policy cache

2018-06-25 Thread Florian Westphal
throughput is independent of the number of tunnels, while before the throughput was reduced as the number of tunnels increased. Reported-by: Kristian Evensen Signed-off-by: Florian Westphal --- v2: rebase on top of current ipsec-next include/net/xfrm.h | 1 - net/xfrm/xfrm_device.c | 10

[PATCH ipsec] xfrm: free skb if nlsk pointer is NULL

2018-06-25 Thread Florian Westphal
nlmsg_multicast() always frees the skb, so in case we cannot call it we must do that ourselves. Fixes: 21ee543edc0dea ("xfrm: fix race between netns cleanup and state expire notification") Signed-off-by: Florian Westphal --- net/xfrm/xfrm_user.c | 10 ++ 1 file changed, 6

[PATCH ipsec-next] xfrm: policy: remove pcpu policy cache

2018-06-25 Thread Florian Westphal
throughput is independent of the number of tunnels, while before the throughput was reduced as the number of tunnels increased. Reported-by: Kristian Evensen Signed-off-by: Florian Westphal --- include/net/xfrm.h | 1 - net/xfrm/xfrm_device.c | 10 net/xfrm/xfrm_policy.c | 139

Re: [PATCH][v2] xfrm: replace NR_CPU with nr_cpu_ids

2018-06-20 Thread Florian Westphal
Steffen Klassert wrote: > On Tue, Jun 19, 2018 at 09:53:49AM +0200, Florian Westphal wrote: > > Li RongQing wrote: > > > The default NR_CPUS can be very large, but actual possible nr_cpu_ids > > > usually is very small. For some x86 distribution, the NR_CPUS is 8192 &g

Re: array bounds warning in xfrm_output_resume

2018-06-19 Thread Florian Westphal
David Ahern wrote: > $ make O=kbuild/perf -j 24 -s > In file included from /home/dsa/kernel-3.git/include/linux/kernel.h:10:0, > from /home/dsa/kernel-3.git/include/linux/list.h:9, > from /home/dsa/kernel-3.git/include/linux/module.h:9, > from

Re: [PATCH][v2] xfrm: replace NR_CPU with nr_cpu_ids

2018-06-19 Thread Florian Westphal
Li RongQing wrote: > The default NR_CPUS can be very large, but actual possible nr_cpu_ids > usually is very small. For some x86 distribution, the NR_CPUS is 8192 > and nr_cpu_ids is 4, so replace NR_CPU to save some memory Steffen, I will soon submit a patch to remove the percpu cache; removal

Re: [PATCH net-next 0/10] xfrm: remove flow cache

2018-06-13 Thread Florian Westphal
ore expensive (retpolines). When pcpu xdst exists, it has to be validated first (which needs indirect calls). So even if hit rate is good, it might be cheaper to allocate a new xdst entry. Furthermore, the current xdst cache needs to run with BH off, which is also not needed when its removed. Compile te

Re: [PATCH net-next] netfilter: fix null-ptr-deref in nf_nat_decode_session

2018-05-28 Thread Florian Westphal
Prashant Bhole <bhole_prashant...@lab.ntt.co.jp> wrote: > Add null check for nat_hook in nf_nat_decode_session() Acked-by: Florian Westphal <f...@strlen.de>

Re: [PATCH v2 net] netfilter: provide correct argument to nla_strlcpy()

2018-05-22 Thread Florian Westphal
Eric Dumazet <eduma...@google.com> wrote: > Recent patch forgot to remove nla_data(), upsetting syzkaller a bit. Duuuh Thanks Eric. Acked-by: Florian Westphal <f...@strlen.de>

Re: [PATCH v2] netfilter: properly initialize xt_table_info structure

2018-05-18 Thread Florian Westphal
Greg Kroah-Hartman wrote: > On Thu, May 17, 2018 at 12:42:00PM +0200, Jan Engelhardt wrote: > > > > On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote: > > >> > --- a/net/netfilter/x_tables.c > > >> > +++ b/net/netfilter/x_tables.c > > >> > @@ -1183,11 +1183,10 @@

Re: Silently dropped UDP packets on kernel 4.14

2018-05-02 Thread Florian Westphal
Kristian Evensen wrote: > I went for the early-insert approached and have patched I'm sorry for suggesting that. It doesn't work, because of NAT. NAT rewrites packet content and changes the reply tuple, but the tuples determine the hash insertion location. I don't

Re: Silently dropped UDP packets on kernel 4.14

2018-05-01 Thread Florian Westphal
Kristian Evensen wrote: > On Tue, May 1, 2018 at 8:50 PM, Kristian Evensen > wrote: > > Does anyone have any idea of what could be wrong, where I should look > > or other things I can try? I tried to space the requests out a bit in > > time

Re: [PATCH] netfilter: ebtables: handle string from userspace with care

2018-04-27 Thread Florian Westphal
Paolo Abeni wrote: > strlcpy() can't be safely used on a user-space provided string, > as it can try to read beyond the buffer's end, if the latter is > not NULL terminated. Yes. > Leveraging the above, syzbot has been able to trigger the following > splat: > > BUG: KASAN:

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

2018-04-23 Thread Florian Westphal
Ahmed Abdelsalam wrote: > > > @@ -50,6 +62,12 @@ struct ip6t_srh { > > > __u8segs_left; > > > __u8last_entry; > > > __u16 tag; > > > + struct in6_addr psid_addr; > > > + struct in6_addr nsid_addr;

Re: [PATCH RFC iptables] iptables: Per-net ns lock

2018-04-20 Thread Florian Westphal
Kirill Tkhai wrote: > Pablo, Florian, could you please provide comments on this? > > On 09.04.2018 19:55, Kirill Tkhai wrote: > > In CRIU and LXC-restore we met the situation, > > when iptables in container can't be restored > > because of permission denied: > > > >

Re: tcp hang when socket fills up ?

2018-04-17 Thread Florian Westphal
Dominique Martinet wrote: [ CC Jozsef ] > Could it have something to do with the way I setup the connection? > I don't think the "both remotes call connect() with carefully selected > source/dest port" is a very common case.. > > If you look at the tcpdump outputs I

Re: tcp hang when socket fills up ?

2018-04-16 Thread Florian Westphal
Dominique Martinet wrote: > Eric Dumazet wrote on Sun, Apr 15, 2018: > > Are you sure you do not have some iptables/netfilter stuff ? > > I have a basic firewall setup with default rules e.g. starts with > -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > in the

Re: possible deadlock in rtnl_lock (5)

2018-03-27 Thread Florian Westphal
syzbot wrote: [ cc Julian and trimming cc list ] > syzkaller688027/4497 is trying to acquire lock: > (rtnl_mutex){+.+.}, at: [] rtnl_lock+0x17/0x20 > net/core/rtnetlink.c:74 > but task is already holding lock: > IPVS:

Re: [PATCH nf] netfilter: drop template ct when conntrack is skipped.

2018-03-22 Thread Florian Westphal
s for template ct on every target/match > manipulating skb->_nfct, simply drop the template ct when skipping > nf_conntrack_in(). Fixes: 7b4fdf77a450ec ("netfilter: don't track fragmented packets") Acked-by: Florian Westphal <f...@strlen.de>

Re: linux-next: ip6tables *broken* - last base chain position %u doesn't match underflow %u (hook %u

2018-03-20 Thread Florian Westphal
valdis.kletni...@vt.edu wrote: > (Resending because I haven't heard anything) [ ip6tables broken ] Sorry, did not see this email before. I'll investigate asap, thanks for the detailed report.

Re: [RFC,POC] iptables/nftables to epbf/xdp via common intermediate layer

2018-03-15 Thread Florian Westphal
Alexei Starovoitov wrote: > The way this IMR defined today looks pretty much like nft and > it feels a bit too low level than iptable conversion would need. It wasn't so much about a specific IMR but to avoid code duplication between nft and iptables translators. >

Re: [PATCH 00/30] Netfilter/IPVS updates for net-next

2018-03-13 Thread Florian Westphal
David Miller wrote: [ flow tables ] > Ok, that seems to constrain the exposure. > > We should talk at some point about how exposed conntrack itself is. Sure, we can do that. If you have specific scenarios (synflood, peer that opens 100k (legitimate) connections,

Re: [PATCH 00/30] Netfilter/IPVS updates for net-next

2018-03-13 Thread Florian Westphal
David Miller wrote: > From: Felix Fietkau > Date: Mon, 12 Mar 2018 20:30:01 +0100 > > > It's not dead and useless. In its current state, it has a software fast > > path that significantly improves nftables routing/NAT throughput, > > especially on embedded

Re: [PATCH v2] net: netfilter: Replace printk() with appropriate pr_*() macro

2018-03-11 Thread Florian Westphal
Arushi Singhal wrote: > On Mon, Mar 12, 2018 at 2:17 AM, Pablo Neira Ayuso > wrote: > > > Hi Joe, > > > > On Sun, Mar 11, 2018 at 12:52:41PM -0700, Joe Perches wrote: > > > On Mon, 2018-03-12 at 01:11 +0530, Arushi Singhal wrote: > > > >

Re: WARNING in __proc_create

2018-03-09 Thread Florian Westphal
Cong Wang wrote: > On Fri, Mar 9, 2018 at 2:58 PM, Eric Dumazet wrote: > > > > > > On 03/09/2018 02:56 PM, Eric Dumazet wrote: > > > >> > >> I sent a patch a while back, but Pablo/Florian wanted more than that > >> simple fix. > >> > >> We also

Re: WARNING in __proc_create

2018-03-09 Thread Florian Westphal
Eric Dumazet wrote: > >>fs/proc/generic.c:354 > > > >We need to reject empty names. > > > > I sent a patch a while back, but Pablo/Florian wanted more than that simple > fix. > > We also need to filter special characters like '/' > > Or maybe I am mixing with something

Re: [RFC PATCH v2] bridge: make it possible for packets to traverse the bridge without hitting netfilter

2018-03-09 Thread Florian Westphal
David Woodhouse <dw...@infradead.org> wrote: > > > On Fri, 2015-03-06 at 17:37 +0100, Florian Westphal wrote: > > > > > > I did performance measurements in the following way: > > > >  > > > > Removed those pieces of the packet

Re: [RFC,POC] iptables/nftables to epbf/xdp via common intermediate layer

2018-03-06 Thread Florian Westphal
Edward Cree <ec...@solarflare.com> wrote: > On 06/03/18 16:42, Florian Westphal wrote: > > I would also add 'highlevel' objects that are themselves translated into > > basic operations. Most obvious example > > are 'fetch 4 bytes x bytes into transport header'. >

Re: [RFC,POC] iptables/nftables to epbf/xdp via common intermediate layer

2018-03-06 Thread Florian Westphal
Daniel Borkmann <dan...@iogearbox.net> wrote: > On 03/04/2018 08:40 PM, Florian Westphal wrote: > > Its still in early stage, but I think its good enough as > > a proof-of-concept. > > be the critical part in that it needs to be flexible enough to cover > both

Re: [PATCH net] netfilter: check for out-of-bounds while copying compat entries

2018-03-05 Thread Florian Westphal
Paolo Abeni wrote: > Currently, when coping ebt compat entries, no checks are in place > for the offsets provided by user space, so that syzbot was able to > trigger the following splat: > --- > net/bridge/netfilter/ebtables.c | 2 +- > 1 file changed, 1 insertion(+), 1

[RFC,POC 1/3] bpfilter: add experimental IMR bpf translator

2018-03-04 Thread Florian Westphal
only for now) - immediate (32, 64 bit constants) - payload, with relative addressing (mac header, network header, transport header) This doesn't add a user; files will not even be compiled yet. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/bpfilter/imr.c

[RFC,POC 2/3] bpfilter: add nftables jit proof-of-concept

2018-03-04 Thread Florian Westphal
rrently needs libnftnl/libmnl but thats convenince on my end and not a "must have". Signed-off-by: Florian Westphal <f...@strlen.de> --- net/bpfilter/Makefile | 7 +- net/bpfilter/nftables.c | 679 2 files changed, 685 insertions(+

[RFC,POC 3/3] bpfilter: switch bpfilter to iptables->IMR translation

2018-03-04 Thread Florian Westphal
Translate basic iptables rule blob to the IMR, then ask IMR to translate to ebpf. IMR is shared between nft and bpfilter translators. iptables_gen_append() is the only relevant function here, as it demonstrates simple 'source/destination matches x' test. Signed-off-by: Florian Westphal &l

[RFC,POC] iptables/nftables to epbf/xdp via common intermediate layer

2018-03-04 Thread Florian Westphal
These patches, which go on top of the 'bpfilter' RFC patches, demonstrate an nftables to ebpf translation (done in userspace). In order to not duplicate the ebpf code generation efforts, the rules iptables -i lo -d 127.0.0.2 -j DROP and nft add rule ip filter input ip daddr 127.0.0.2 drop are

[ANNOUNCE] nftables 0.8.3 release

2018-03-03 Thread Florian Westphal
examples: add ct helper examples files: add load balance example meta: introduce datatype ifname_type Baruch Siach (1): src: fix build with older glibc David Fabian (1): Added undefine/redefine keywords Duncan Roe (1): doc/nft.xml: fix typo Florian Westphal (16):

Re: [PATCH] netfilter: use skb_to_full_sk in ip6_route_me_harder

2018-02-25 Thread Florian Westphal
Eric Dumazet wrote: > From: Eric Dumazet > > For some reason, Florian forgot to apply to ip6_route_me_harder > the fix that went in commit 29e09229d9f2 ("netfilter: use > skb_to_full_sk in ip_route_me_harder") Indeed, sorry about that, thanks for

Re: syzcaller patch postings...

2018-02-22 Thread Florian Westphal
Dmitry Vyukov wrote: > On Thu, Feb 22, 2018 at 9:26 AM, Paolo Abeni wrote: > > On Wed, 2018-02-21 at 16:47 -0500, David Miller wrote: > >> I have to mention this now before it gets out of control. > >> > >> I would like to ask that syzkaller stop posting

Re: syzcaller patch postings...

2018-02-21 Thread Florian Westphal
David Miller wrote: > I have to mention this now before it gets out of control. > > I would like to ask that syzkaller stop posting the patch it is > testing when it posts to netdev. Same for netfilter-devel. I could not get a reproducer to trigger and asked syzbot to test

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-21 Thread Florian Westphal
Pablo Neira Ayuso wrote: > On Tue, Feb 20, 2018 at 05:52:54PM -0800, Alexei Starovoitov wrote: > > On Tue, Feb 20, 2018 at 11:44:31AM +0100, Pablo Neira Ayuso wrote: > > > > > > Don't get me wrong, no software is safe from security issues, but if you > > > don't abstract

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-19 Thread Florian Westphal
David Miller wrote: > From: Phil Sutter > Date: Mon, 19 Feb 2018 18:14:11 +0100 > > > OK, so reading between the lines you're saying that nftables project > > has failed to provide an adequate successor to iptables? > > Whilst it is great that the atomic table

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-19 Thread Florian Westphal
David Miller <da...@davemloft.net> wrote: > From: Florian Westphal <f...@strlen.de> > Date: Mon, 19 Feb 2018 15:53:14 +0100 > > > Sure, but looking at all the things that were added to iptables > > to alleviate some of the issues (ipset for instance) show that w

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-19 Thread Florian Westphal
David Miller <da...@davemloft.net> wrote: > From: Florian Westphal <f...@strlen.de> > Date: Mon, 19 Feb 2018 15:59:35 +0100 > > > David Miller <da...@davemloft.net> wrote: > >> It also means that the scope of developers who can contribute and

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-19 Thread Florian Westphal
David Miller wrote: > From: Daniel Borkmann > Date: Mon, 19 Feb 2018 13:03:17 +0100 > > > Thought was that it would be more suitable to push all the complexity of > > such translation into user space which brings couple of additional > > advantages >

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-19 Thread Florian Westphal
David Miller wrote: > > How many of those wide-spread applications are you aware of? The two > > projects you have pointed out (docker and kubernetes) don't. As the > > assumption that many such tools would need to be supported drives a lot > > of the design decisions, I

[PATCH nf] netfilter: bridge: ebt_among: add missing match size checks

2018-02-18 Thread Florian Westphal
src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fa,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe,fe:fe:fe:fe:fe:fe Reported-by: <syzbot+fe0b19af568972814...@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <f...@strlen.de> --- net/bridge/netfilter/ebt_among.c | 21 +++-- 1 file changed

[PATCH nf] netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets

2018-02-18 Thread Florian Westphal
' --log plus jump to custom chains using 32bit ebtables binary. Reported-by: <syzbot+845a53d13171abf8b...@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <f...@strlen.de> --- net/bridge/netfilter/ebtables.c | 13 - 1 file changed, 12 insertions(+), 1 deletion(-)

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-18 Thread Florian Westphal
Daniel Borkmann wrote: > As rule translation can potentially become very complex, this is performed > entirely in user space. In order to ease deployment, request_module() code > is extended to allow user mode helpers to be invoked. Idea is that user mode > helpers are built

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-17 Thread Florian Westphal
Harald Welte wrote: > I believe _if_ one wants to use the approach of "hiding" eBPF behind > iptables, then either [..] > b) you must introduce new 'tables', like an 'xdp' table which then has >the notion of processing very early in processing, way before the >normal

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-17 Thread Florian Westphal
Florian Westphal <f...@strlen.de> wrote: > David Miller <da...@davemloft.net> wrote: > > From: Florian Westphal <f...@strlen.de> > > Date: Fri, 16 Feb 2018 17:14:08 +0100 > > > > > Any particular reason why translating iptables rather than

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-17 Thread Florian Westphal
David Miller <da...@davemloft.net> wrote: > From: Florian Westphal <f...@strlen.de> > Date: Fri, 16 Feb 2018 17:14:08 +0100 > > > Any particular reason why translating iptables rather than nftables > > (it should be possible to monitor the nftables changes

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-17 Thread Florian Westphal
Daniel Borkmann <dan...@iogearbox.net> wrote: > Hi Florian, > > On 02/16/2018 05:14 PM, Florian Westphal wrote: > > Florian Westphal <f...@strlen.de> wrote: > >> Daniel Borkmann <dan...@iogearbox.net> wrote: > >> Several questions spinning at

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-16 Thread Florian Westphal
Florian Westphal <f...@strlen.de> wrote: > Daniel Borkmann <dan...@iogearbox.net> wrote: > Several questions spinning at the moment, I will probably come up with > more: ... and here there are some more ... One of the many pain points of xtables design is the assumption of '

  1   2   3   4   5   6   7   8   9   >