| Message ID | 20240627112713.4846-1-pablo@netfilter.org |
|---|---|
| State | Changes Requested |
| Headers | show |
Note for netdev maintainer: This PR is actually targeted at *net-next*. Please, let me know if you prefer I resubmit. On Thu, Jun 27, 2024 at 01:26:54PM +0200, Pablo Neira Ayuso wrote: > Hi, > > The following patchset contains Netfilter/IPVS updates for net-next: > > Patch #1 to #11 to shrink memory consumption for transaction objects: > > struct nft_trans_chain { /* size: 120 (-32), cachelines: 2, members: 10 */ > struct nft_trans_elem { /* size: 72 (-40), cachelines: 2, members: 4 */ > struct nft_trans_flowtable { /* size: 80 (-48), cachelines: 2, members: 5 */ > struct nft_trans_obj { /* size: 72 (-40), cachelines: 2, members: 4 */ > struct nft_trans_rule { /* size: 80 (-32), cachelines: 2, members: 6 */ > struct nft_trans_set { /* size: 96 (-24), cachelines: 2, members: 8 */ > struct nft_trans_table { /* size: 56 (-40), cachelines: 1, members: 2 */ > > struct nft_trans_elem can now be allocated from kmalloc-96 instead of > kmalloc-128 slab. > > Series from Florian Westphal. For the record, I have mangled patch #1 > to add nft_trans_container_*() and use if for every transaction object. > I have also added BUILD_BUG_ON to ensure struct nft_trans always comes > at the beginning of the container transaction object. And few minor > cleanups, any new bugs are of my own. > > Patch #12 simplify check for SCTP GSO in IPVS, from Ismael Luceno. > > Patch #13 nf_conncount key length remains in the u32 bound, from Yunjian Wang. > > Patch #14 removes unnecessary check for CTA_TIMEOUT_L3PROTO when setting > default conntrack timeouts via nfnetlink_cttimeout API, from > Lin Ma. > > Patch #15 updates NFT_SECMARK_CTX_MAXLEN to 4096, SELinux could use > larger secctx names than the existing 256 bytes length. > > Patch #16 fixes nfnetlink_queue with SCTP traffic, from Antonio Ojea. > > Patch #17 adds a selftest for SCTP traffic under nfnetlink_queue, > also from Antonio. > > Patch #18 adds a selftest to exercise nfnetlink_queue listeners leaving > nfnetlink_queue, from Florian Westphal. > > Patch #19 increases hitcount from 255 to 65535 in xt_recent, from Phil Sutter. > > Please, pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git nf-next-24-06-27 > > Thanks. > > ---------------------------------------------------------------- > > The following changes since commit c4532232fa2a4f8d9b9a88135a666545157f3d13: > > selftests: net: remove unneeded IP_GRE config (2024-06-25 08:37:55 -0700) > > are available in the Git repository at: > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git nf-next-24-06-27 > > for you to fetch changes up to 8871d1e4dceb6692ea8217b1fc835c4bf2e93d97: > > netfilter: xt_recent: Lift restrictions on max hitcount value (2024-06-27 01:55:57 +0200) > > ---------------------------------------------------------------- > netfilter pull request 24-06-27 > > ---------------------------------------------------------------- > Antonio Ojea (2): > netfilter: nfnetlink_queue: unbreak SCTP traffic > selftests: netfilter: nft_queue.sh: sctp coverage > > Florian Westphal (12): > netfilter: nf_tables: make struct nft_trans first member of derived subtypes > netfilter: nf_tables: move bind list_head into relevant subtypes > netfilter: nf_tables: compact chain+ft transaction objects > netfilter: nf_tables: reduce trans->ctx.table references > netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx > netfilter: nf_tables: pass more specific nft_trans_chain where possible > netfilter: nf_tables: avoid usage of embedded nft_ctx > netfilter: nf_tables: store chain pointer in rule transaction > netfilter: nf_tables: reduce trans->ctx.chain references > netfilter: nf_tables: pass nft_table to destroy function > netfilter: nf_tables: do not store nft_ctx in transaction objects > selftests: netfilter: nft_queue.sh: add test for disappearing listener > > Ismael Luceno (1): > ipvs: Avoid unnecessary calls to skb_is_gso_sctp > > Lin Ma (1): > netfilter: cttimeout: remove 'l3num' attr check > > Pablo Neira Ayuso (1): > netfilter: nf_tables: rise cap on SELinux secmark context > > Phil Sutter (1): > netfilter: xt_recent: Lift restrictions on max hitcount value > > Yunjian Wang (1): > netfilter: nf_conncount: fix wrong variable type > > include/net/netfilter/nf_tables.h | 222 +++++++---- > include/uapi/linux/netfilter/nf_tables.h | 2 +- > net/core/dev.c | 1 + > net/netfilter/ipvs/ip_vs_proto_sctp.c | 4 +- > net/netfilter/nf_conncount.c | 8 +- > net/netfilter/nf_tables_api.c | 411 ++++++++++++--------- > net/netfilter/nf_tables_offload.c | 40 +- > net/netfilter/nfnetlink_cttimeout.c | 3 +- > net/netfilter/nfnetlink_queue.c | 12 +- > net/netfilter/nft_immediate.c | 2 +- > net/netfilter/xt_recent.c | 8 +- > tools/testing/selftests/net/netfilter/nft_queue.sh | 113 ++++++ > 12 files changed, 546 insertions(+), 280 deletions(-) >
On Thu, 27 Jun 2024 13:28:51 +0200 Pablo Neira Ayuso wrote: > Note for netdev maintainer: This PR is actually targeted at *net-next*. > > Please, let me know if you prefer I resubmit. Not a big deal, but since you offered I have another ask - looks like this series makes the nf_queue test time out in our infra. https://netdev.bots.linux.dev/contest.html?test=nft-queue-sh Could you take a look before you respin? It used to take 24 sec, not it times out after 224 sec..
Jakub Kicinski <kuba@kernel.org> wrote: > On Thu, 27 Jun 2024 13:28:51 +0200 Pablo Neira Ayuso wrote: > > Note for netdev maintainer: This PR is actually targeted at *net-next*. > > > > Please, let me know if you prefer I resubmit. > > Not a big deal, but since you offered I have another ask - looks like > this series makes the nf_queue test time out in our infra. > > https://netdev.bots.linux.dev/contest.html?test=nft-queue-sh > > Could you take a look before you respin? It used to take 24 sec, > not it times out after 224 sec.. Looks like its the sctp selftests that got added, I can have a look tomorrow.
On Thu, Jun 27, 2024 at 11:32:02AM -0700, Jakub Kicinski wrote: > On Thu, 27 Jun 2024 13:28:51 +0200 Pablo Neira Ayuso wrote: > > Note for netdev maintainer: This PR is actually targeted at *net-next*. > > > > Please, let me know if you prefer I resubmit. > > Not a big deal, but since you offered I have another ask - looks like > this series makes the nf_queue test time out in our infra. > > https://netdev.bots.linux.dev/contest.html?test=nft-queue-sh > > Could you take a look before you respin? It used to take 24 sec, > not it times out after 224 sec.. Please, ditch this PR, SCTP support for nfqueue is not yet ready. I will submit a new PR without these bits. Apologies for the noise, thanks.
Jakub Kicinski <kuba@kernel.org> wrote: > On Thu, 27 Jun 2024 13:28:51 +0200 Pablo Neira Ayuso wrote: > > Note for netdev maintainer: This PR is actually targeted at *net-next*. > > > > Please, let me know if you prefer I resubmit. > > Not a big deal, but since you offered I have another ask - looks like > this series makes the nf_queue test time out in our infra. > > https://netdev.bots.linux.dev/contest.html?test=nft-queue-sh > > Could you take a look before you respin? It used to take 24 sec, > not it times out after 224 sec.. FTR, its missing update to config file: diff --git a/tools/testing/selftests/net/netfilter/config b/tools/testing/selftests/net/netfilter/config index 63ef80ef47a4..b2dd4db45215 100644 --- a/tools/testing/selftests/net/netfilter/config +++ b/tools/testing/selftests/net/netfilter/config @@ -87,3 +87,5 @@ CONFIG_XFRM_USER=m CONFIG_XFRM_STATISTICS=y CONFIG_NET_PKTGEN=m CONFIG_TUN=m +CONFIG_INET_DIAG=m +CONFIG_SCTP_DIAG=m so the 'wait for sctp listener to appear' takes 1m, after that the nfqueue listener has timed out aeons ago and sctp connect hangs until timeout. But fixing the config shows the tests are very very flaky, this needs more work, will look into it on monday. Sorry for this.
Hi, The following patchset contains Netfilter/IPVS updates for net-next: Patch #1 to #11 to shrink memory consumption for transaction objects: struct nft_trans_chain { /* size: 120 (-32), cachelines: 2, members: 10 */ struct nft_trans_elem { /* size: 72 (-40), cachelines: 2, members: 4 */ struct nft_trans_flowtable { /* size: 80 (-48), cachelines: 2, members: 5 */ struct nft_trans_obj { /* size: 72 (-40), cachelines: 2, members: 4 */ struct nft_trans_rule { /* size: 80 (-32), cachelines: 2, members: 6 */ struct nft_trans_set { /* size: 96 (-24), cachelines: 2, members: 8 */ struct nft_trans_table { /* size: 56 (-40), cachelines: 1, members: 2 */ struct nft_trans_elem can now be allocated from kmalloc-96 instead of kmalloc-128 slab. Series from Florian Westphal. For the record, I have mangled patch #1 to add nft_trans_container_*() and use if for every transaction object. I have also added BUILD_BUG_ON to ensure struct nft_trans always comes at the beginning of the container transaction object. And few minor cleanups, any new bugs are of my own. Patch #12 simplify check for SCTP GSO in IPVS, from Ismael Luceno. Patch #13 nf_conncount key length remains in the u32 bound, from Yunjian Wang. Patch #14 removes unnecessary check for CTA_TIMEOUT_L3PROTO when setting default conntrack timeouts via nfnetlink_cttimeout API, from Lin Ma. Patch #15 updates NFT_SECMARK_CTX_MAXLEN to 4096, SELinux could use larger secctx names than the existing 256 bytes length. Patch #16 fixes nfnetlink_queue with SCTP traffic, from Antonio Ojea. Patch #17 adds a selftest for SCTP traffic under nfnetlink_queue, also from Antonio. Patch #18 adds a selftest to exercise nfnetlink_queue listeners leaving nfnetlink_queue, from Florian Westphal. Patch #19 increases hitcount from 255 to 65535 in xt_recent, from Phil Sutter. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git nf-next-24-06-27 Thanks. ---------------------------------------------------------------- The following changes since commit c4532232fa2a4f8d9b9a88135a666545157f3d13: selftests: net: remove unneeded IP_GRE config (2024-06-25 08:37:55 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git nf-next-24-06-27 for you to fetch changes up to 8871d1e4dceb6692ea8217b1fc835c4bf2e93d97: netfilter: xt_recent: Lift restrictions on max hitcount value (2024-06-27 01:55:57 +0200) ---------------------------------------------------------------- netfilter pull request 24-06-27 ---------------------------------------------------------------- Antonio Ojea (2): netfilter: nfnetlink_queue: unbreak SCTP traffic selftests: netfilter: nft_queue.sh: sctp coverage Florian Westphal (12): netfilter: nf_tables: make struct nft_trans first member of derived subtypes netfilter: nf_tables: move bind list_head into relevant subtypes netfilter: nf_tables: compact chain+ft transaction objects netfilter: nf_tables: reduce trans->ctx.table references netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx netfilter: nf_tables: pass more specific nft_trans_chain where possible netfilter: nf_tables: avoid usage of embedded nft_ctx netfilter: nf_tables: store chain pointer in rule transaction netfilter: nf_tables: reduce trans->ctx.chain references netfilter: nf_tables: pass nft_table to destroy function netfilter: nf_tables: do not store nft_ctx in transaction objects selftests: netfilter: nft_queue.sh: add test for disappearing listener Ismael Luceno (1): ipvs: Avoid unnecessary calls to skb_is_gso_sctp Lin Ma (1): netfilter: cttimeout: remove 'l3num' attr check Pablo Neira Ayuso (1): netfilter: nf_tables: rise cap on SELinux secmark context Phil Sutter (1): netfilter: xt_recent: Lift restrictions on max hitcount value Yunjian Wang (1): netfilter: nf_conncount: fix wrong variable type include/net/netfilter/nf_tables.h | 222 +++++++---- include/uapi/linux/netfilter/nf_tables.h | 2 +- net/core/dev.c | 1 + net/netfilter/ipvs/ip_vs_proto_sctp.c | 4 +- net/netfilter/nf_conncount.c | 8 +- net/netfilter/nf_tables_api.c | 411 ++++++++++++--------- net/netfilter/nf_tables_offload.c | 40 +- net/netfilter/nfnetlink_cttimeout.c | 3 +- net/netfilter/nfnetlink_queue.c | 12 +- net/netfilter/nft_immediate.c | 2 +- net/netfilter/xt_recent.c | 8 +- tools/testing/selftests/net/netfilter/nft_queue.sh | 113 ++++++ 12 files changed, 546 insertions(+), 280 deletions(-)