v2: with kdoc fixes per Paolo Abeni.
-o-
The following patchset contains Netfilter fixes for net:
Patch #1 and #2 handle an esoteric scenario: Given two tasks sending UDP
packets to one another, two packets of the same flow in each direction
handled by different CPUs that result in two conntrack objects in NEW
state, where reply packet loses race. Then, patch #3 adds a testcase for
this scenario. Series from Florian Westphal.
1) NAT engine can falsely detect a port collision if it happens to pick
up a reply packet as NEW rather than ESTABLISHED. Add extra code to
detect this and suppress port reallocation in this case.
2) To complete the clash resolution in the reply direction, extend conntrack
logic to detect clashing conntrack in the reply direction to existing entry.
3) Adds a test case.
Then, an assorted list of fixes follow:
4) Add a selftest for tproxy, from Antonio Ojea.
5) Guard ctnetlink_*_size() functions under
#if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS)
From Andy Shevchenko.
6) Use -m socket --transparent in iptables tproxy documentation.
From XIE Zhibang.
7) Call kfree_rcu() when releasing flowtable hooks to address race with
netlink dump path, from Phil Sutter.
8) Fix compilation warning in nf_reject with CONFIG_BRIDGE_NETFILTER=n.
From Simon Horman.
9) Guard ctnetlink_label_size() under CONFIG_NF_CONNTRACK_EVENTS which
is its only user, to address a compilation warning. From Simon Horman.
10) Use rcu-protected list iteration over basechain hooks from netlink
dump path.
11) Fix memcg for nf_tables, use GFP_KERNEL_ACCOUNT is not complete.
12) Remove old nfqueue conntrack clash resolution. Instead trying to
use same destination address consistently which requires double DNAT,
use the existing clash resolution which allows clashing packets
go through with different destination. Antonio Ojea originally
reported an issue from the postrouting chain, I proposed a fix:
https://lore.kernel.org/netfilter-devel/ZuwSwAqKgCB2a51-@calendula/T/
which he reported it did not work for him.
13) Adds a selftest for patch 12.
14) Fixes ipvs.sh selftest.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-09-26
Thanks.
----------------------------------------------------------------
The following changes since commit 9410645520e9b820069761f3450ef6661418e279:
Merge tag 'net-next-6.12' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next (2024-09-16 06:02:27 +0200)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-09-26
for you to fetch changes up to fc786304ad9803e8bb86b8599bc64d1c1746c75f:
selftests: netfilter: Avoid hanging ipvs.sh (2024-09-26 13:03:03 +0200)
----------------------------------------------------------------
netfilter pull request 24-09-26
----------------------------------------------------------------
Andy Shevchenko (1):
netfilter: ctnetlink: Guard possible unused functions
Antonio Ojea (1):
selftests: netfilter: nft_tproxy.sh: add tcp tests
Florian Westphal (5):
netfilter: nf_nat: don't try nat source port reallocation for reverse dir clash
netfilter: conntrack: add clash resolution for reverse collisions
selftests: netfilter: add reverse-clash resolution test case
netfilter: nfnetlink_queue: remove old clash resolution logic
kselftest: add test for nfqueue induced conntrack race
Pablo Neira Ayuso (2):
netfilter: nf_tables: use rcu chain hook list iterator from netlink dump path
netfilter: nf_tables: missing objects with no memcg accounting
Phil Sutter (2):
netfilter: nf_tables: Keep deleted flowtable hooks until after RCU
selftests: netfilter: Avoid hanging ipvs.sh
Simon Horman (2):
netfilter: nf_reject: Fix build warning when CONFIG_BRIDGE_NETFILTER=n
netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS
谢致邦 (XIE Zhibang) (1):
docs: tproxy: ignore non-transparent sockets in iptables
Documentation/networking/tproxy.rst | 2 +-
include/linux/netfilter.h | 4 -
net/ipv4/netfilter/nf_reject_ipv4.c | 10 +-
net/ipv6/netfilter/nf_reject_ipv6.c | 5 +-
net/netfilter/nf_conntrack_core.c | 141 +++-----
net/netfilter/nf_conntrack_netlink.c | 9 +-
net/netfilter/nf_nat_core.c | 121 ++++++-
net/netfilter/nf_tables_api.c | 6 +-
net/netfilter/nft_compat.c | 6 +-
net/netfilter/nft_log.c | 2 +-
net/netfilter/nft_meta.c | 2 +-
net/netfilter/nft_numgen.c | 2 +-
net/netfilter/nft_set_pipapo.c | 13 +-
net/netfilter/nft_tunnel.c | 5 +-
tools/testing/selftests/net/netfilter/Makefile | 4 +
tools/testing/selftests/net/netfilter/config | 1 +
.../net/netfilter/conntrack_reverse_clash.c | 125 +++++++
.../net/netfilter/conntrack_reverse_clash.sh | 51 +++
tools/testing/selftests/net/netfilter/ipvs.sh | 2 +-
tools/testing/selftests/net/netfilter/nft_queue.sh | 92 +++++-
.../selftests/net/netfilter/nft_tproxy_tcp.sh | 358 +++++++++++++++++++++
.../selftests/net/netfilter/nft_tproxy_udp.sh | 262 +++++++++++++++
22 files changed, 1091 insertions(+), 132 deletions(-)
create mode 100644 tools/testing/selftests/net/netfilter/conntrack_reverse_clash.c
create mode 100755 tools/testing/selftests/net/netfilter/conntrack_reverse_clash.sh
create mode 100755 tools/testing/selftests/net/netfilter/nft_tproxy_tcp.sh
create mode 100755 tools/testing/selftests/net/netfilter/nft_tproxy_udp.sh