| Message ID | 981718e8e2ca5cd34d1153f54eae06ab2f087c07.1575779993.git.lucien.xin@gmail.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | netfilter: nft_tunnel: reinforce key opts support | expand |
Hi Xin, On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote: > To keep consistent with ipgre_policy, it's better to parse > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key, > cls_flower and ip_tunnel_core. > > Signed-off-by: Xin Long <lucien.xin@gmail.com> > --- > net/netfilter/nft_tunnel.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c > index 3d4c2ae..f76cd7d 100644 > --- a/net/netfilter/nft_tunnel.c > +++ b/net/netfilter/nft_tunnel.c > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr, > } > > static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = { > + [NFTA_TUNNEL_KEY_ERSPAN_VERSION] = { .type = NLA_U8 }, > [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX] = { .type = NLA_U32 }, > - [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > + [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID] = { .type = NLA_U8 }, > }; > > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr, > if (err < 0) > return err; > > - version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION])); > + version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]); I have concerns about this change and backwards-compatibility with existing users of this UAPI. Likewise, with other changes to the encoding of existing attributes elsewhere in this series. > switch (version) { > case ERSPAN_VERSION: > if (!tb[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]) > -- > 2.1.0 >
On Tue, Dec 10, 2019 at 4:03 AM Simon Horman <simon.horman@netronome.com> wrote: > > Hi Xin, > > On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote: > > To keep consistent with ipgre_policy, it's better to parse > > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key, > > cls_flower and ip_tunnel_core. > > > > Signed-off-by: Xin Long <lucien.xin@gmail.com> > > --- > > net/netfilter/nft_tunnel.c | 5 +++-- > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c > > index 3d4c2ae..f76cd7d 100644 > > --- a/net/netfilter/nft_tunnel.c > > +++ b/net/netfilter/nft_tunnel.c > > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr, > > } > > > > static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = { > > + [NFTA_TUNNEL_KEY_ERSPAN_VERSION] = { .type = NLA_U8 }, > > [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX] = { .type = NLA_U32 }, > > - [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > > + [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > > [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID] = { .type = NLA_U8 }, > > }; > > > > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr, > > if (err < 0) > > return err; > > > > - version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION])); > > + version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]); > > I have concerns about this change and backwards-compatibility with existing > users of this UAPI. Likewise, with other changes to the encoding of existing > attributes elsewhere in this series. userspace(nftables/libnftnl) is not ready for nft_tunnel, I don't think there will be any backwards-compatibility issue. Pablo? > > > switch (version) { > > case ERSPAN_VERSION: > > if (!tb[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]) > > -- > > 2.1.0 > >
Hi, On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote: > To keep consistent with ipgre_policy, it's better to parse > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key, > cls_flower and ip_tunnel_core. > > Signed-off-by: Xin Long <lucien.xin@gmail.com> > --- > net/netfilter/nft_tunnel.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c > index 3d4c2ae..f76cd7d 100644 > --- a/net/netfilter/nft_tunnel.c > +++ b/net/netfilter/nft_tunnel.c > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr, > } > > static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = { > + [NFTA_TUNNEL_KEY_ERSPAN_VERSION] = { .type = NLA_U8 }, > [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX] = { .type = NLA_U32 }, > - [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > + [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID] = { .type = NLA_U8 }, > }; > > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr, > if (err < 0) > return err; > > - version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION])); > + version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]); I think NFTA_TUNNEL_KEY_ERSPAN_VERSION as 32-bit is just fine. Netlink will be adding the padding anyway for u8. I would suggest you leave this as is. Thanks.
On Thu, Dec 12, 2019 at 5:51 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > Hi, > > On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote: > > To keep consistent with ipgre_policy, it's better to parse > > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key, > > cls_flower and ip_tunnel_core. > > > > Signed-off-by: Xin Long <lucien.xin@gmail.com> > > --- > > net/netfilter/nft_tunnel.c | 5 +++-- > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c > > index 3d4c2ae..f76cd7d 100644 > > --- a/net/netfilter/nft_tunnel.c > > +++ b/net/netfilter/nft_tunnel.c > > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr, > > } > > > > static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = { > > + [NFTA_TUNNEL_KEY_ERSPAN_VERSION] = { .type = NLA_U8 }, > > [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX] = { .type = NLA_U32 }, > > - [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > > + [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > > [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID] = { .type = NLA_U8 }, > > }; > > > > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr, > > if (err < 0) > > return err; > > > > - version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION])); > > + version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]); > > I think NFTA_TUNNEL_KEY_ERSPAN_VERSION as 32-bit is just fine. > > Netlink will be adding the padding anyway for u8. > > I would suggest you leave this as is. okay. do you think I should prepare another patch/fix for the missing nla_policy part? [NFTA_TUNNEL_KEY_ERSPAN_VERSION] = { .type = NLA_U32 }, Thanks.
On Thu, Dec 12, 2019 at 11:20:19AM +0800, Xin Long wrote: > On Thu, Dec 12, 2019 at 5:51 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > > > Hi, > > > > On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote: > > > To keep consistent with ipgre_policy, it's better to parse > > > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key, > > > cls_flower and ip_tunnel_core. > > > > > > Signed-off-by: Xin Long <lucien.xin@gmail.com> > > > --- > > > net/netfilter/nft_tunnel.c | 5 +++-- > > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > > > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c > > > index 3d4c2ae..f76cd7d 100644 > > > --- a/net/netfilter/nft_tunnel.c > > > +++ b/net/netfilter/nft_tunnel.c > > > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr, > > > } > > > > > > static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = { > > > + [NFTA_TUNNEL_KEY_ERSPAN_VERSION] = { .type = NLA_U8 }, > > > [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX] = { .type = NLA_U32 }, > > > - [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > > > + [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > > > [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID] = { .type = NLA_U8 }, > > > }; > > > > > > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr, > > > if (err < 0) > > > return err; > > > > > > - version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION])); > > > + version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]); > > > > I think NFTA_TUNNEL_KEY_ERSPAN_VERSION as 32-bit is just fine. > > > > Netlink will be adding the padding anyway for u8. > > > > I would suggest you leave this as is. > okay. > > do you think I should prepare another patch/fix for the missing nla_policy part? > [NFTA_TUNNEL_KEY_ERSPAN_VERSION] = { .type = NLA_U32 }, Yes, please, thanks.
On Tue, Dec 10, 2019 at 12:05:15PM +0800, Xin Long wrote: > On Tue, Dec 10, 2019 at 4:03 AM Simon Horman <simon.horman@netronome.com> wrote: > > > > Hi Xin, > > > > On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote: > > > To keep consistent with ipgre_policy, it's better to parse > > > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key, > > > cls_flower and ip_tunnel_core. > > > > > > Signed-off-by: Xin Long <lucien.xin@gmail.com> > > > --- > > > net/netfilter/nft_tunnel.c | 5 +++-- > > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > > > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c > > > index 3d4c2ae..f76cd7d 100644 > > > --- a/net/netfilter/nft_tunnel.c > > > +++ b/net/netfilter/nft_tunnel.c > > > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr, > > > } > > > > > > static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = { > > > + [NFTA_TUNNEL_KEY_ERSPAN_VERSION] = { .type = NLA_U8 }, > > > [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX] = { .type = NLA_U32 }, > > > - [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > > > + [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > > > [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID] = { .type = NLA_U8 }, > > > }; > > > > > > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr, > > > if (err < 0) > > > return err; > > > > > > - version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION])); > > > + version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]); > > > > I have concerns about this change and backwards-compatibility with existing > > users of this UAPI. Likewise, with other changes to the encoding of existing > > attributes elsewhere in this series. > userspace(nftables/libnftnl) is not ready for nft_tunnel, I don't > think there will be > any backwards-compatibility issue. > > Pablo? Thanks, I'm happy to defer to Pablo on this question. > > > > > > switch (version) { > > > case ERSPAN_VERSION: > > > if (!tb[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]) > > > -- > > > 2.1.0 > > >
Hi Simon, On Fri, Dec 13, 2019 at 10:30:26AM +0100, Simon Horman wrote: > On Tue, Dec 10, 2019 at 12:05:15PM +0800, Xin Long wrote: > > On Tue, Dec 10, 2019 at 4:03 AM Simon Horman <simon.horman@netronome.com> wrote: > > > > > > Hi Xin, > > > > > > On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote: > > > > To keep consistent with ipgre_policy, it's better to parse > > > > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key, > > > > cls_flower and ip_tunnel_core. > > > > > > > > Signed-off-by: Xin Long <lucien.xin@gmail.com> > > > > --- > > > > net/netfilter/nft_tunnel.c | 5 +++-- > > > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c > > > > index 3d4c2ae..f76cd7d 100644 > > > > --- a/net/netfilter/nft_tunnel.c > > > > +++ b/net/netfilter/nft_tunnel.c > > > > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr, > > > > } > > > > > > > > static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = { > > > > + [NFTA_TUNNEL_KEY_ERSPAN_VERSION] = { .type = NLA_U8 }, > > > > [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX] = { .type = NLA_U32 }, > > > > - [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > > > > + [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, > > > > [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID] = { .type = NLA_U8 }, > > > > }; > > > > > > > > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr, > > > > if (err < 0) > > > > return err; > > > > > > > > - version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION])); > > > > + version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]); > > > > > > I have concerns about this change and backwards-compatibility with existing > > > users of this UAPI. Likewise, with other changes to the encoding of existing > > > attributes elsewhere in this series. > > > > userspace(nftables/libnftnl) is not ready for nft_tunnel, I don't > > think there will be any backwards-compatibility issue. > > > > Pablo? > > Thanks, I'm happy to defer to Pablo on this question. I agree with Xin. This uapi is not in good shape and there is no upstream userspace code for this, no nftables support for this yet. In this particular case I'm inclined to fix uapi, better sooner than never. Thanks.
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c index 3d4c2ae..f76cd7d 100644 --- a/net/netfilter/nft_tunnel.c +++ b/net/netfilter/nft_tunnel.c @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr, } static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = { + [NFTA_TUNNEL_KEY_ERSPAN_VERSION] = { .type = NLA_U8 }, [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX] = { .type = NLA_U32 }, - [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, + [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID] = { .type = NLA_U8 }, }; @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr, if (err < 0) return err; - version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION])); + version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]); switch (version) { case ERSPAN_VERSION: if (!tb[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX])
To keep consistent with ipgre_policy, it's better to parse ERSPAN_VERSION attr as u8, as it does in act_tunnel_key, cls_flower and ip_tunnel_core. Signed-off-by: Xin Long <lucien.xin@gmail.com> --- net/netfilter/nft_tunnel.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)