[{"id":1770295,"web_url":"http://patchwork.ozlabs.org/comment/1770295/","msgid":"<20170918162811.GA6091@salvia>","list_archive_url":null,"date":"2017-09-18T16:28:11","subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"Hi Rafael,\n\nOn Sun, Sep 17, 2017 at 02:20:30PM +0300, Shmulik Ladkani wrote:\n> From: Rafael Buchbinder \n> \n> From: Rafael Buchbinder \n> \n> This commit introduces a framework to fixup match info,\n> which may be required by an extension.\n> \n> Signed-off-by: Rafael Buchbinder \n> Signed-off-by: Shmulik Ladkani \n> ---\n> include/xtables.h | 3 +++\n> iptables/ip6tables.c | 35 +++++++++++++++++++++++++++++++++++\n> iptables/iptables.c | 34 ++++++++++++++++++++++++++++++++++\n> 3 files changed, 72 insertions(+)\n> \n> diff --git a/include/xtables.h b/include/xtables.h\n> index e9bc3b7d..687cfe9f 100644\n> --- a/include/xtables.h\n> +++ b/include/xtables.h\n> @@ -273,6 +273,9 @@ struct xtables_match {\n> \t/* ip is struct ipt_ip * for example */\n> \tvoid (*save)(const void *ip, const struct xt_entry_match *match);\n> \n> +\t/* Fixes the match info after init. */\n> +\tvoid (*tc_init_fixup)(struct xt_entry_match *match);\n\nIf this is only broken from tc ipt actions, could you fix this from\niproute2/tc instead?\n--\nTo unsubscribe from this list: send the line \"unsubscribe netfilter-devel\" in\nthe body of a message to majordomo@vger.kernel.org\nMore majordomo info at http://vger.kernel.org/majordomo-info.html","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netfilter-devel-owner@vger.kernel.org;\n\treceiver=)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xwrz83G8Bz9s7F\n\tfor ;\n\tTue, 19 Sep 2017 02:28:20 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1756025AbdIRQ2S (ORCPT );\n\tMon, 18 Sep 2017 12:28:18 -0400","from ganesha.gnumonks.org ([213.95.27.120]:36366 \"EHLO\n\tganesha.gnumonks.org\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1755981AbdIRQ2P (ORCPT\n\t);\n\tMon, 18 Sep 2017 12:28:15 -0400","from 129.166.216.87.static.jazztel.es ([87.216.166.129]\n\thelo=gnumonks.org) by ganesha.gnumonks.org with esmtpsa\n\t(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2)\n\t(envelope-from )\n\tid 1dtyu4-00064d-7L; Mon, 18 Sep 2017 18:28:14 +0200"],"Date":"Mon, 18 Sep 2017 18:28:11 +0200","From":"Pablo Neira Ayuso ","To":"Shmulik Ladkani ","Cc":"netfilter-devel@vger.kernel.org,\n\tWillem de Bruijn , rbk@nsof.io,\n\tRafael Buchbinder ","Subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","Message-ID":"<20170918162811.GA6091@salvia>","References":"<20170917112031.8644-1-shmulik@nsof.io>\n\t<20170917112031.8644-2-shmulik@nsof.io>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20170917112031.8644-2-shmulik@nsof.io>","User-Agent":"Mutt/1.5.23 (2014-03-12)","X-Spam-Score":"-2.9 (--)","Sender":"netfilter-devel-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netfilter-devel@vger.kernel.org"}},{"id":1770322,"web_url":"http://patchwork.ozlabs.org/comment/1770322/","msgid":"<20170918200042.3189aa0f@pixies>","list_archive_url":null,"date":"2017-09-18T17:00:42","subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","submitter":{"id":72382,"url":"http://patchwork.ozlabs.org/api/people/72382/","name":"Shmulik Ladkani","email":"shmulik@nsof.io"},"content":"Hi Pablo,\n\nOn Mon, 18 Sep 2017 18:28:11 +0200 Pablo Neira Ayuso wrote:\n\n> > \n> > +\t/* Fixes the match info after init. */\n> > +\tvoid (*tc_init_fixup)(struct xt_entry_match *match); \n> \n> If this is only broken from tc ipt actions, could you fix this from\n> iproute2/tc instead?\n\nNo, this is not iproute2/tc specfic.\n\nWe named it 'tc_init_fixup' as it occurs just after the TC_INIT\n(iptc_init/ip6tc_init) call.\nIf this is confusing, we can rename to 'init_fixup' or 'post_init_fixup'\nor 'iptc_init_fixup'.\n\nThis must occur after every load of entries, as the xt_bpf match needs\na fixup once read from kernel.\n\nThe problem lies in the xt_bpf_info_v1 ABI.\nSee:\nhttps://marc.info/?l=netfilter-devel&m=150530909630143&w=2\n\nRegards,\nShmulik\n--\nTo unsubscribe from this list: send the line \"unsubscribe netfilter-devel\" in\nthe body of a message to majordomo@vger.kernel.org\nMore majordomo info at http://vger.kernel.org/majordomo-info.html","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netfilter-devel-owner@vger.kernel.org;\n\treceiver=)","ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=nsof.io header.i=@nsof.io header.b=\"OAnERkm8\";\n\tdkim-atps=neutral"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xwshc3QMHz9s7M\n\tfor ;\n\tTue, 19 Sep 2017 03:00:48 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S932941AbdIRRAr (ORCPT );\n\tMon, 18 Sep 2017 13:00:47 -0400","from mail-wm0-f41.google.com ([74.125.82.41]:50489 \"EHLO\n\tmail-wm0-f41.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S932254AbdIRRAq (ORCPT\n\t);\n\tMon, 18 Sep 2017 13:00:46 -0400","by mail-wm0-f41.google.com with SMTP id v142so4494237wmv.5\n\tfor ;\n\tMon, 18 Sep 2017 10:00:46 -0700 (PDT)","from pixies ([141.226.174.233]) by smtp.gmail.com with ESMTPSA id\n\t77sm8003129wmx.10.2017.09.18.10.00.43\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tMon, 18 Sep 2017 10:00:44 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=nsof.io; s=google;\n\th=date:from:to:cc:subject:message-id:in-reply-to:references\n\t:mime-version:content-transfer-encoding;\n\tbh=1T9Z1lAMBSBkP+Vg8EEI4OYWFj98/6EGZA8yfZ4dt4k=;\n\tb=OAnERkm8GEh9zO0N6R0uDBn07v55GeNC9seGTl5W62TkxUtJehDI5nO6S2SjxOn6sy\n\t8q1UB34ns74obzXVbPAUv2n420pai+pMbT7it/srVjhNWH5oPi/iCvObT16qqkWBgAgX\n\tzmANaE0oKiVaR510LZGVBSwxH9YH3UOenE+jc=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to\n\t:references:mime-version:content-transfer-encoding;\n\tbh=1T9Z1lAMBSBkP+Vg8EEI4OYWFj98/6EGZA8yfZ4dt4k=;\n\tb=YOj+AUSduA5MG3cabAfMpeF41deBDjxXJk8Hb8b0xALkpDLJ8hDhitWzvSDi+uZzcE\n\tTHFPcbpKLgTugl0O60duV/wl1hx1Zh3tzNLjgpylaWZL7oguId+w0g2Q6nUE7qQB+qgg\n\tx9VyGNK7sK62jT9k0eL86ICxkyGr+HL41mA6ukSfpmPofHUBTQB/rwUVr80sI9eESkEl\n\t7blGeQaIR0tT3RkHwqFR2AfjtQSybdiCQqM9EaRfD0IV7RWH3ZOdQergJrbfbIhVCQGX\n\t7+NWtx40mc5aWqIPYDNr61J8NDH+JUYCWg6nFc0Yq23e0LuihiaxCxGn3bRf5H8tTVt5\n\tyQog==","X-Gm-Message-State":"AHPjjUjU+t/hlGHSEk1GjDQ9ftyWXIBmHrxUkdwlalif3hiFFap/KQu0\n\td1izQ+vxUQEAbi7bXz80PsuVaVr5zN4=","X-Google-Smtp-Source":"AOwi7QCibEhqkoADAAZoK8JeRtWiKT8ERliHqrKBgSGtkXl7MJ7dkGwW1BdI6Huk99odGL/lT2hM7w==","X-Received":"by 10.28.132.193 with SMTP id g184mr8543266wmd.26.1505754045512; \n\tMon, 18 Sep 2017 10:00:45 -0700 (PDT)","Date":"Mon, 18 Sep 2017 20:00:42 +0300","From":"Shmulik Ladkani ","To":"Pablo Neira Ayuso ","Cc":"netfilter-devel@vger.kernel.org,\n\tWillem de Bruijn , rbk@nsof.io,\n\tRafael Buchbinder ","Subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","Message-ID":"<20170918200042.3189aa0f@pixies>","In-Reply-To":"<20170918162811.GA6091@salvia>","References":"<20170917112031.8644-1-shmulik@nsof.io>\n\t<20170917112031.8644-2-shmulik@nsof.io>\n\t<20170918162811.GA6091@salvia>","MIME-Version":"1.0","Content-Type":"text/plain; charset=US-ASCII","Content-Transfer-Encoding":"7bit","Sender":"netfilter-devel-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netfilter-devel@vger.kernel.org"}},{"id":1770353,"web_url":"http://patchwork.ozlabs.org/comment/1770353/","msgid":"<20170918172353.GA8982@salvia>","list_archive_url":null,"date":"2017-09-18T17:23:53","subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Mon, Sep 18, 2017 at 08:00:42PM +0300, Shmulik Ladkani wrote:\n> Hi Pablo,\n> \n> On Mon, 18 Sep 2017 18:28:11 +0200 Pablo Neira Ayuso wrote:\n> \n> > > \n> > > +\t/* Fixes the match info after init. */\n> > > +\tvoid (*tc_init_fixup)(struct xt_entry_match *match); \n> > \n> > If this is only broken from tc ipt actions, could you fix this from\n> > iproute2/tc instead?\n> \n> No, this is not iproute2/tc specfic.\n\nOK.\n\n> We named it 'tc_init_fixup' as it occurs just after the TC_INIT\n> (iptc_init/ip6tc_init) call.\n> If this is confusing, we can rename to 'init_fixup' or 'post_init_fixup'\n> or 'iptc_init_fixup'.\n> \n> This must occur after every load of entries, as the xt_bpf match needs\n> a fixup once read from kernel.\n> \n> The problem lies in the xt_bpf_info_v1 ABI.\n> See:\n> https://marc.info/?l=netfilter-devel&m=150530909630143&w=2\n\nI see, can we get a v2 ABI that fixes this? Given this was included\nnot long time ago, we can quickly deprecate this without this custom\nhook to address this.\n\nWe can include this in the next iptables release in the next weeks.\n--\nTo unsubscribe from this list: send the line \"unsubscribe netfilter-devel\" in\nthe body of a message to majordomo@vger.kernel.org\nMore majordomo info at http://vger.kernel.org/majordomo-info.html","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netfilter-devel-owner@vger.kernel.org;\n\treceiver=)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xwtCN0gMPz9s7g\n\tfor ;\n\tTue, 19 Sep 2017 03:24:00 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1754908AbdIRRX7 (ORCPT );\n\tMon, 18 Sep 2017 13:23:59 -0400","from ganesha.gnumonks.org ([213.95.27.120]:36852 \"EHLO\n\tganesha.gnumonks.org\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1754824AbdIRRX6 (ORCPT\n\t);\n\tMon, 18 Sep 2017 13:23:58 -0400","from 129.166.216.87.static.jazztel.es ([87.216.166.129]\n\thelo=gnumonks.org) by ganesha.gnumonks.org with esmtpsa\n\t(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2)\n\t(envelope-from )\n\tid 1dtzly-0007Vf-Pn; Mon, 18 Sep 2017 19:23:56 +0200"],"Date":"Mon, 18 Sep 2017 19:23:53 +0200","From":"Pablo Neira Ayuso ","To":"Shmulik Ladkani ","Cc":"netfilter-devel@vger.kernel.org,\n\tWillem de Bruijn , rbk@nsof.io,\n\tRafael Buchbinder ","Subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","Message-ID":"<20170918172353.GA8982@salvia>","References":"<20170917112031.8644-1-shmulik@nsof.io>\n\t<20170917112031.8644-2-shmulik@nsof.io>\n\t<20170918162811.GA6091@salvia> <20170918200042.3189aa0f@pixies>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20170918200042.3189aa0f@pixies>","User-Agent":"Mutt/1.5.23 (2014-03-12)","X-Spam-Score":"-2.8 (--)","Sender":"netfilter-devel-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netfilter-devel@vger.kernel.org"}},{"id":1770370,"web_url":"http://patchwork.ozlabs.org/comment/1770370/","msgid":"","list_archive_url":null,"date":"2017-09-18T17:50:32","subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","submitter":{"id":8804,"url":"http://patchwork.ozlabs.org/api/people/8804/","name":"Willem de Bruijn","email":"willemb@google.com"},"content":"On Mon, Sep 18, 2017 at 1:23 PM, Pablo Neira Ayuso wrote:\n> On Mon, Sep 18, 2017 at 08:00:42PM +0300, Shmulik Ladkani wrote:\n>> Hi Pablo,\n>>\n>> On Mon, 18 Sep 2017 18:28:11 +0200 Pablo Neira Ayuso wrote:\n>>\n>> > >\n>> > > + /* Fixes the match info after init. */\n>> > > + void (*tc_init_fixup)(struct xt_entry_match *match);\n>> >\n>> > If this is only broken from tc ipt actions, could you fix this from\n>> > iproute2/tc instead?\n>>\n>> No, this is not iproute2/tc specfic.\n>\n> OK.\n>\n>> We named it 'tc_init_fixup' as it occurs just after the TC_INIT\n>> (iptc_init/ip6tc_init) call.\n>> If this is confusing, we can rename to 'init_fixup' or 'post_init_fixup'\n>> or 'iptc_init_fixup'.\n>>\n>> This must occur after every load of entries, as the xt_bpf match needs\n>> a fixup once read from kernel.\n>>\n>> The problem lies in the xt_bpf_info_v1 ABI.\n>> See:\n>> https://marc.info/?l=netfilter-devel&m=150530909630143&w=2\n>\n> I see, can we get a v2 ABI that fixes this? Given this was included\n> not long time ago, we can quickly deprecate this without this custom\n> hook to address this.\n\nWe can perhaps change the kernel module to ignore .fd and do a\npath lookup for .path directly inside the kernel. That would not\nrequire a v2, even.\n--\nTo unsubscribe from this list: send the line \"unsubscribe netfilter-devel\" in\nthe body of a message to majordomo@vger.kernel.org\nMore majordomo info at http://vger.kernel.org/majordomo-info.html","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netfilter-devel-owner@vger.kernel.org;\n\treceiver=)","ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=google.com header.i=@google.com\n\theader.b=\"E73MrC4n\"; dkim-atps=neutral"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xwtpj2Nd9z9s06\n\tfor ;\n\tTue, 19 Sep 2017 03:51:06 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1755321AbdIRRvF (ORCPT );\n\tMon, 18 Sep 2017 13:51:05 -0400","from mail-wm0-f42.google.com ([74.125.82.42]:43028 \"EHLO\n\tmail-wm0-f42.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1755294AbdIRRvF (ORCPT\n\t);\n\tMon, 18 Sep 2017 13:51:05 -0400","by mail-wm0-f42.google.com with SMTP id a137so14387862wma.0\n\tfor ;\n\tMon, 18 Sep 2017 10:51:04 -0700 (PDT)","by 10.28.51.137 with HTTP; Mon, 18 Sep 2017 10:50:32 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=google.com; s=20161025;\n\th=mime-version:in-reply-to:references:from:date:message-id:subject:to\n\t:cc; bh=/ujIrnN2CTB5/RPoGkYDNLMuRF4PWUAEA/tBdoOD+T4=;\n\tb=E73MrC4nZpVobAcm5aC7YbJN5/Eqe3oMEepYHx6y83nV6OpyrzBuqmO3br/G0JmUPx\n\tsGCh9s649w0t50qjk+oWciuLUxDF1SbhSJdA7u8RpG0/Ahv2J7ndM5aAaFGMhXzYbVWk\n\tPbx5ZFKTe4jwP+OvGAo+PSO67CR3uzl14toENfjM5gz+g0VDysD5eItgJhbtcL+IjiAx\n\tE07WaqyOEol3iC2q8JjcO3CUbzsbgv52TDPCghKLmMRbRLQ2ycQKh+D8km5USU5hUeQw\n\tWcB91vetz/sflCVjb7dm0UL5StGZcEVHaOER31MAVAkOhxuRQydlaveRCbksiIbYoL1e\n\tEudw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:mime-version:in-reply-to:references:from:date\n\t:message-id:subject:to:cc;\n\tbh=/ujIrnN2CTB5/RPoGkYDNLMuRF4PWUAEA/tBdoOD+T4=;\n\tb=KZutaDPgE0SLiLp86epl1dOPOzP4KORaaymG3j9zlRWhubXEJMtslAKjIySIoUcZXw\n\teKvGgnakGj04vTBq1TfeQORRP3I4z77IUNlBmUAvG5wgpmKSwvN0Ysysg1cpbycRimmE\n\tqi5nrNUVoMN3A8kKbsbXLLdqt6+4Uvl97tHLEyTHmjsKIfx+yI2Z1RYxrnxZo2p3xvdX\n\tU3vW2wG8AZkv1MpS1wY6VvaVhFNmCREN6U0MItReC5nD3/wBrNt+hEEVQFLdiqB4N9q/\n\tGDhMKn6Z+t97LoDYaf1hjdFF9tBLFHSXv4hZpnecC5wqbB0JVlIwZMORPQXcp4Rcm2e1\n\t/5lg==","X-Gm-Message-State":"AHPjjUgQdLw2gAJlt2oB5eoQyfktlSrXG48xlvOCIkT3wxuYbGrg37Qf\n\ttao71WWeZuiSS69BLVMDRlXJzIE3nykk+SfXPzXCstOQ","X-Google-Smtp-Source":"AOwi7QAAykVVr02ypFE6bIA9ZQRC66RIqGVNmxycuxOGjmMhvlda7vuq4NmqNduG9jO1j3sW1r2sFxQNOrsSbOaLIpc=","X-Received":"by 10.28.4.135 with SMTP id 129mr9703430wme.34.1505757063729;\n\tMon, 18 Sep 2017 10:51:03 -0700 (PDT)","MIME-Version":"1.0","In-Reply-To":"<20170918172353.GA8982@salvia>","References":"<20170917112031.8644-1-shmulik@nsof.io>\n\t<20170917112031.8644-2-shmulik@nsof.io>\n\t<20170918162811.GA6091@salvia> <20170918200042.3189aa0f@pixies>\n\t<20170918172353.GA8982@salvia>","From":"Willem de Bruijn ","Date":"Mon, 18 Sep 2017 13:50:32 -0400","Message-ID":"","Subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","To":"Pablo Neira Ayuso ","Cc":"Shmulik Ladkani ,\n\tnetfilter-devel , rbk@nsof.io,\n\tRafael Buchbinder ","Content-Type":"text/plain; charset=\"UTF-8\"","Sender":"netfilter-devel-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netfilter-devel@vger.kernel.org"}},{"id":1770374,"web_url":"http://patchwork.ozlabs.org/comment/1770374/","msgid":"<20170918175424.GA17019@salvia>","list_archive_url":null,"date":"2017-09-18T17:54:24","subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Mon, Sep 18, 2017 at 01:50:32PM -0400, Willem de Bruijn wrote:\n> On Mon, Sep 18, 2017 at 1:23 PM, Pablo Neira Ayuso wrote:\n> > On Mon, Sep 18, 2017 at 08:00:42PM +0300, Shmulik Ladkani wrote:\n> >> Hi Pablo,\n> >>\n> >> On Mon, 18 Sep 2017 18:28:11 +0200 Pablo Neira Ayuso wrote:\n> >>\n> >> > >\n> >> > > + /* Fixes the match info after init. */\n> >> > > + void (*tc_init_fixup)(struct xt_entry_match *match);\n> >> >\n> >> > If this is only broken from tc ipt actions, could you fix this from\n> >> > iproute2/tc instead?\n> >>\n> >> No, this is not iproute2/tc specfic.\n> >\n> > OK.\n> >\n> >> We named it 'tc_init_fixup' as it occurs just after the TC_INIT\n> >> (iptc_init/ip6tc_init) call.\n> >> If this is confusing, we can rename to 'init_fixup' or 'post_init_fixup'\n> >> or 'iptc_init_fixup'.\n> >>\n> >> This must occur after every load of entries, as the xt_bpf match needs\n> >> a fixup once read from kernel.\n> >>\n> >> The problem lies in the xt_bpf_info_v1 ABI.\n> >> See:\n> >> https://marc.info/?l=netfilter-devel&m=150530909630143&w=2\n> >\n> > I see, can we get a v2 ABI that fixes this? Given this was included\n> > not long time ago, we can quickly deprecate this without this custom\n> > hook to address this.\n> \n> We can perhaps change the kernel module to ignore .fd and do a\n> path lookup for .path directly inside the kernel. That would not\n> require a v2, even.\n\nThat sounds very reasonable, so we can just address this as a plain\nfix and pass it on to -stable.\n--\nTo unsubscribe from this list: send the line \"unsubscribe netfilter-devel\" in\nthe body of a message to majordomo@vger.kernel.org\nMore majordomo info at http://vger.kernel.org/majordomo-info.html","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netfilter-devel-owner@vger.kernel.org;\n\treceiver=)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xwttb2nc0z9s06\n\tfor ;\n\tTue, 19 Sep 2017 03:54:31 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1756445AbdIRRya (ORCPT );\n\tMon, 18 Sep 2017 13:54:30 -0400","from ganesha.gnumonks.org ([213.95.27.120]:37072 \"EHLO\n\tganesha.gnumonks.org\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1755321AbdIRRy3 (ORCPT\n\t);\n\tMon, 18 Sep 2017 13:54:29 -0400","from 129.166.216.87.static.jazztel.es ([87.216.166.129]\n\thelo=gnumonks.org) by ganesha.gnumonks.org with esmtpsa\n\t(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2)\n\t(envelope-from )\n\tid 1du0FV-0008LN-Nv; Mon, 18 Sep 2017 19:54:27 +0200"],"Date":"Mon, 18 Sep 2017 19:54:24 +0200","From":"Pablo Neira Ayuso ","To":"Willem de Bruijn ","Cc":"Shmulik Ladkani ,\n\tnetfilter-devel , rbk@nsof.io,\n\tRafael Buchbinder ","Subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","Message-ID":"<20170918175424.GA17019@salvia>","References":"<20170917112031.8644-1-shmulik@nsof.io>\n\t<20170917112031.8644-2-shmulik@nsof.io>\n\t<20170918162811.GA6091@salvia> <20170918200042.3189aa0f@pixies>\n\t<20170918172353.GA8982@salvia>\n\t","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"","User-Agent":"Mutt/1.5.23 (2014-03-12)","X-Spam-Score":"-2.8 (--)","Sender":"netfilter-devel-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netfilter-devel@vger.kernel.org"}},{"id":1770381,"web_url":"http://patchwork.ozlabs.org/comment/1770381/","msgid":"","list_archive_url":null,"date":"2017-09-18T18:04:57","subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","submitter":{"id":13886,"url":"http://patchwork.ozlabs.org/api/people/13886/","name":"Jan Engelhardt","email":"jengelh@inai.de"},"content":"On Monday 2017-09-18 19:00, Shmulik Ladkani wrote:\n>\n>This must occur after every load of entries, as the xt_bpf match needs\n>a fixup once read from kernel.\n\nSo you could use the check function for it, do you not?\n--\nTo unsubscribe from this list: send the line \"unsubscribe netfilter-devel\" in\nthe body of a message to majordomo@vger.kernel.org\nMore majordomo info at http://vger.kernel.org/majordomo-info.html","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netfilter-devel-owner@vger.kernel.org;\n\treceiver=)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xwv6h6GJrz9s7g\n\tfor ;\n\tTue, 19 Sep 2017 04:05:00 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1755532AbdIRSE7 (ORCPT );\n\tMon, 18 Sep 2017 14:04:59 -0400","from a3.inai.de ([88.198.180.161]:59800 \"EHLO a3.inai.de\"\n\trhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP\n\tid S1753479AbdIRSE7 (ORCPT );\n\tMon, 18 Sep 2017 14:04:59 -0400","by a3.inai.de (Postfix, from userid 25121)\n\tid EF52E1924449A; Mon, 18 Sep 2017 20:04:57 +0200 (CEST)","from localhost (localhost [127.0.0.1])\n\tby a3.inai.de (Postfix) with ESMTP id ECAE817B6FFE;\n\tMon, 18 Sep 2017 20:04:57 +0200 (CEST)"],"Date":"Mon, 18 Sep 2017 20:04:57 +0200 (CEST)","From":"Jan Engelhardt ","To":"Shmulik Ladkani ","cc":"Pablo Neira Ayuso , netfilter-devel@vger.kernel.org,\n\tWillem de Bruijn , rbk@nsof.io,\n\tRafael Buchbinder ","Subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","In-Reply-To":"<20170918200042.3189aa0f@pixies>","Message-ID":"","References":"<20170917112031.8644-1-shmulik@nsof.io>\n\t<20170917112031.8644-2-shmulik@nsof.io>\n\t<20170918162811.GA6091@salvia> <20170918200042.3189aa0f@pixies>","User-Agent":"Alpine 2.21 (LSU 202 2017-01-01)","MIME-Version":"1.0","Content-Type":"text/plain; charset=US-ASCII","Sender":"netfilter-devel-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netfilter-devel@vger.kernel.org"}},{"id":1779882,"web_url":"http://patchwork.ozlabs.org/comment/1779882/","msgid":"<20171004143301.GA22316@salvia>","list_archive_url":null,"date":"2017-10-04T14:33:01","subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Mon, Sep 18, 2017 at 07:54:24PM +0200, Pablo Neira Ayuso wrote:\n> On Mon, Sep 18, 2017 at 01:50:32PM -0400, Willem de Bruijn wrote:\n> > On Mon, Sep 18, 2017 at 1:23 PM, Pablo Neira Ayuso wrote:\n> > > On Mon, Sep 18, 2017 at 08:00:42PM +0300, Shmulik Ladkani wrote:\n> > >> Hi Pablo,\n> > >>\n> > >> On Mon, 18 Sep 2017 18:28:11 +0200 Pablo Neira Ayuso wrote:\n> > >>\n> > >> > >\n> > >> > > + /* Fixes the match info after init. */\n> > >> > > + void (*tc_init_fixup)(struct xt_entry_match *match);\n> > >> >\n> > >> > If this is only broken from tc ipt actions, could you fix this from\n> > >> > iproute2/tc instead?\n> > >>\n> > >> No, this is not iproute2/tc specfic.\n> > >\n> > > OK.\n> > >\n> > >> We named it 'tc_init_fixup' as it occurs just after the TC_INIT\n> > >> (iptc_init/ip6tc_init) call.\n> > >> If this is confusing, we can rename to 'init_fixup' or 'post_init_fixup'\n> > >> or 'iptc_init_fixup'.\n> > >>\n> > >> This must occur after every load of entries, as the xt_bpf match needs\n> > >> a fixup once read from kernel.\n> > >>\n> > >> The problem lies in the xt_bpf_info_v1 ABI.\n> > >> See:\n> > >> https://marc.info/?l=netfilter-devel&m=150530909630143&w=2\n> > >\n> > > I see, can we get a v2 ABI that fixes this? Given this was included\n> > > not long time ago, we can quickly deprecate this without this custom\n> > > hook to address this.\n> > \n> > We can perhaps change the kernel module to ignore .fd and do a\n> > path lookup for .path directly inside the kernel. That would not\n> > require a v2, even.\n> \n> That sounds very reasonable, so we can just address this as a plain\n> fix and pass it on to -stable.\n\nAnyone following up with this?\n\nThanks!\n--\nTo unsubscribe from this list: send the line \"unsubscribe netfilter-devel\" in\nthe body of a message to majordomo@vger.kernel.org\nMore majordomo info at http://vger.kernel.org/majordomo-info.html","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netfilter-devel-owner@vger.kernel.org;\n\treceiver=)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3y6dfv6HZtz9sRW\n\tfor ;\n\tThu, 5 Oct 2017 01:33:11 +1100 (AEDT)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1752199AbdJDOdL (ORCPT );\n\tWed, 4 Oct 2017 10:33:11 -0400","from ganesha.gnumonks.org ([213.95.27.120]:50571 \"EHLO\n\tganesha.gnumonks.org\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1752141AbdJDOdK (ORCPT\n\t);\n\tWed, 4 Oct 2017 10:33:10 -0400","from 129.166.216.87.static.jazztel.es ([87.216.166.129]\n\thelo=gnumonks.org) by ganesha.gnumonks.org with esmtpsa\n\t(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2)\n\t(envelope-from )\n\tid 1dzkjO-0004Cz-8G; Wed, 04 Oct 2017 16:33:08 +0200"],"Date":"Wed, 4 Oct 2017 16:33:01 +0200","From":"Pablo Neira Ayuso ","To":"Willem de Bruijn ","Cc":"Shmulik Ladkani ,\n\tnetfilter-devel , rbk@nsof.io,\n\tRafael Buchbinder ","Subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","Message-ID":"<20171004143301.GA22316@salvia>","References":"<20170917112031.8644-1-shmulik@nsof.io>\n\t<20170917112031.8644-2-shmulik@nsof.io>\n\t<20170918162811.GA6091@salvia> <20170918200042.3189aa0f@pixies>\n\t<20170918172353.GA8982@salvia>\n\t\n\t<20170918175424.GA17019@salvia>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20170918175424.GA17019@salvia>","User-Agent":"Mutt/1.5.23 (2014-03-12)","X-Spam-Score":"-2.8 (--)","Sender":"netfilter-devel-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netfilter-devel@vger.kernel.org"}},{"id":1779886,"web_url":"http://patchwork.ozlabs.org/comment/1779886/","msgid":"<20171004173839.76c961d8@pixies>","list_archive_url":null,"date":"2017-10-04T14:38:39","subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","submitter":{"id":72382,"url":"http://patchwork.ozlabs.org/api/people/72382/","name":"Shmulik Ladkani","email":"shmulik@nsof.io"},"content":"Hi Pablo,\n\nOn Wed, 4 Oct 2017 16:33:01 +0200 Pablo Neira Ayuso wrote:\n\n> > > We can perhaps change the kernel module to ignore .fd and do a\n> > > path lookup for .path directly inside the kernel. That would not\n> > > require a v2, even. \n> > \n> > That sounds very reasonable, so we can just address this as a plain\n> > fix and pass it on to -stable. \n> \n> Anyone following up with this?\n\nI plan to work on a fix to the v1 abi, in which the given fd is ignored.\n\nBest,\nShmulik\n--\nTo unsubscribe from this list: send the line \"unsubscribe netfilter-devel\" in\nthe body of a message to majordomo@vger.kernel.org\nMore majordomo info at http://vger.kernel.org/majordomo-info.html","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netfilter-devel-owner@vger.kernel.org;\n\treceiver=)","ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=nsof.io header.i=@nsof.io header.b=\"jsMBP4xE\";\n\tdkim-atps=neutral"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3y6dnK2QPHz9sRm\n\tfor ;\n\tThu, 5 Oct 2017 01:38:45 +1100 (AEDT)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1752250AbdJDOio (ORCPT );\n\tWed, 4 Oct 2017 10:38:44 -0400","from mail-wr0-f176.google.com ([209.85.128.176]:45366 \"EHLO\n\tmail-wr0-f176.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1752221AbdJDOin (ORCPT\n\t);\n\tWed, 4 Oct 2017 10:38:43 -0400","by mail-wr0-f176.google.com with SMTP id m18so8814575wrm.2\n\tfor ;\n\tWed, 04 Oct 2017 07:38:43 -0700 (PDT)","from pixies ([141.226.174.151]) by smtp.gmail.com with ESMTPSA id\n\tr63sm474444wmg.13.2017.10.04.07.38.41\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tWed, 04 Oct 2017 07:38:41 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=nsof.io; s=google;\n\th=date:from:to:cc:subject:message-id:in-reply-to:references\n\t:mime-version:content-transfer-encoding;\n\tbh=oTyIp8CxKVhmqpqy10prO0wzcvHC1c9AAxc8FrCq3LQ=;\n\tb=jsMBP4xE9B4iBZLuXX38lWcv2N3E/t71Lu4USGyCR80sqGzzOteF2Ap8pUmzUsa+k9\n\t4Hm8zqnc5nKUvIaTXf/4JL2ngnoXdjogE38bJK8YYlh/4Wj2zper6y0Ro7wCC+D1rWv0\n\t3WXgVOI20zWqKl406Qo6GV8ajCM6tQ59Pt3Yc=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to\n\t:references:mime-version:content-transfer-encoding;\n\tbh=oTyIp8CxKVhmqpqy10prO0wzcvHC1c9AAxc8FrCq3LQ=;\n\tb=pNMEX9Uh2sF0PEmnX6uUo1djj7UEsIQruNaRTE7yytv2ino+7A6dnmteT0WLXTF2z8\n\tBR8a62rBbZyZp9d5ycHS9gNYFsGyyuWqW3wJ0TiW0eCHv++t9Gwg8wC1so5t4uEpc3K1\n\tHZWtzSLavPEo5Hk0aJMYzMLkUkGZfPHaQll2sPORMNzM+JhWnOcUAXO6SJD1DwAx3W9Q\n\tIXkT4cu/6njlIQKYDOKdrsbssfRrvWpEOShjirDJ4oRMIhyY3wvaHROK7hD/CZsuuA03\n\tKafXLoNXgqk1qknJdO6K32C+NNUSltaUHlA3afEc6CgYalkBSWspW5xKhAagvObdQUAr\n\tDmtw==","X-Gm-Message-State":"AHPjjUgbUzQ5Uy7eiQbOFqNr0pFXUo1DYTFl719cBr/cHGuflHvQs6fk\n\twDEUGYVen6h1ca1R+CLncOLBYA==","X-Google-Smtp-Source":"AOwi7QCitHVQnnvl03wQOOm0OfcI3tq7HjPBQXbuTBM4sYNw6v56h8ayWYGbTTybektu3YwaXpxrEg==","X-Received":"by 10.223.186.6 with SMTP id o6mr18959252wrg.263.1507127922408; \n\tWed, 04 Oct 2017 07:38:42 -0700 (PDT)","Date":"Wed, 4 Oct 2017 17:38:39 +0300","From":"Shmulik Ladkani ","To":"Pablo Neira Ayuso ","Cc":"Willem de Bruijn ,\n\tnetfilter-devel , rbk@nsof.io,\n\tRafael Buchbinder ","Subject":"Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init","Message-ID":"<20171004173839.76c961d8@pixies>","In-Reply-To":"<20171004143301.GA22316@salvia>","References":"<20170917112031.8644-1-shmulik@nsof.io>\n\t<20170917112031.8644-2-shmulik@nsof.io>\n\t<20170918162811.GA6091@salvia> <20170918200042.3189aa0f@pixies>\n\t<20170918172353.GA8982@salvia>\n\t\n\t<20170918175424.GA17019@salvia> <20171004143301.GA22316@salvia>","MIME-Version":"1.0","Content-Type":"text/plain; charset=US-ASCII","Content-Transfer-Encoding":"7bit","Sender":"netfilter-devel-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netfilter-devel@vger.kernel.org"}}]