From patchwork Thu Aug 10 11:23:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1819800 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=C3zVI47l; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4RM4LR1L0Gz1yf6 for ; Thu, 10 Aug 2023 21:23:43 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231822AbjHJLXk (ORCPT ); Thu, 10 Aug 2023 07:23:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50626 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230364AbjHJLXj (ORCPT ); Thu, 10 Aug 2023 07:23:39 -0400 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9088268A for ; Thu, 10 Aug 2023 04:23:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=5vd/PUErkm7zyamcb3Rr/kzuL/THySBbt4MOXcC/1YE=; b=C3zVI47lT2V/8+VP4dqEiDNFbm 8cy//ZXpm2rcvnh6m5L/CwyBTtK1ohbZmL0kD5fu9RNIpgsu1CyILGkrx31y/UaGGVOvUwBt0xtga 7/FSgcLo1z4sg721sY6AM1IjrpMIeZ3x6bK1PXxkoo/3kHD+bs01I+dGcU5guvutlhSu2kMj47AXv OnKB0baA/Ydj267J+GMJ1x4ayzsaJt0UIfiWSEFXoKuUFXjEVvNJH+4IiTgACs6qTIeQJeYVYuRgO ctc0eDcfJyU8cojog6NrjHcJjnnC5kzEmurklc0CicfAD8CWas3TyuOGWTWAxzqE7SsmPFk6k0PET kWHyPryg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1qU3lN-0004Nq-RG for netfilter-devel@vger.kernel.org; Thu, 10 Aug 2023 13:23:34 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH v2 1/3] nft: Create builtin chains with counters enabled Date: Thu, 10 Aug 2023 13:23:23 +0200 Message-Id: <20230810112325.20630-2-phil@nwl.cc> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230810112325.20630-1-phil@nwl.cc> References: <20230810112325.20630-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org The kernel enables policy counters for nftables chains only if NFTA_CHAIN_COUNTERS attribute is present. For this to be generated, one has to set NFTNL_CHAIN_PACKETS and NFTNL_CHAIN_BYTES attributes in the allocated nftnl_chain object. The above happened for base chains only with iptables-nft-restore if called with --counters flag. Since this is very unintuitive to users, fix the situation by adding counters to base chains in any case. Fixes: 384958620abab ("use nf_tables and nf_tables compatibility interface") Signed-off-by: Phil Sutter --- iptables/nft.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index 326dc20b21d65..97fd4f49fdb4c 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -701,6 +701,9 @@ nft_chain_builtin_alloc(int family, const char *tname, nftnl_chain_set_str(c, NFTNL_CHAIN_TYPE, chain->type); + nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, 0); + nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, 0); + return c; } @@ -961,6 +964,7 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h, int policy, const struct xt_counters *counters) { + static const struct xt_counters zero = {}; struct nftnl_chain *c; const struct builtin_table *_t; const struct builtin_chain *_c; @@ -985,12 +989,10 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h, return NULL; } - if (counters) { - nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, - counters->bcnt); - nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, - counters->pcnt); - } + if (!counters) + counters = &zero; + nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, counters->bcnt); + nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, counters->pcnt); return c; } From patchwork Thu Aug 10 11:23:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1819803 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=mm0GGzTQ; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4RM4Lf34blz1yf6 for ; Thu, 10 Aug 2023 21:23:54 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233279AbjHJLXx (ORCPT ); Thu, 10 Aug 2023 07:23:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34468 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232354AbjHJLXw (ORCPT ); Thu, 10 Aug 2023 07:23:52 -0400 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 81514268A for ; Thu, 10 Aug 2023 04:23:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fgaTGbuNOLietYUA25eTyYiUOp31cEanTFOf7vocWnQ=; b=mm0GGzTQy8wqRcrZT9dwHqLGBq 1v9u5P2pI+djBYCV5UMVV3Q80cPYR1TbnlFcZ/GlT/l5AflsDLlkmCMvFZ/55mk3agSBR6CvqPVfk oQjjh/B1yYNsSKU04rYBLmbJ/GC9ZfAMc+XuTglxz/1xhjXmN++hcmbrbj38+LylSJyepu6SfZW49 b9Z8dENJoS3klWFDX36gZxT61GhLvh2b4uvSC5tdPD3G+GHavRD3Ag9PY1JFyt2hpkotZ0KPuXmtQ fYd3vKaaHjqLcWpyOqYbmDYQ8W0A1A9pbIgupWuI07J6+O7gqA48bDijWzEwLwOr8eRoNauA9fMEg /c8EK3vw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1qU3ld-0004OA-UR for netfilter-devel@vger.kernel.org; Thu, 10 Aug 2023 13:23:49 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH v2 2/3] Revert "libiptc: fix wrong maptype of base chain counters on restore" Date: Thu, 10 Aug 2023 13:23:24 +0200 Message-Id: <20230810112325.20630-3-phil@nwl.cc> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230810112325.20630-1-phil@nwl.cc> References: <20230810112325.20630-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org This reverts commit 7c4d668c9c2ee007c82063b7fc784cbbf46b2ec4. The change can't be right: A simple rule append call will reset all built-in chains' counters. The old code works fine even given the mentioned "empty restore" use-case, at least if counters don't change on the fly in-kernel. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=912 Fixes: 7c4d668c9c2ee ("libiptc: fix wrong maptype of base chain counters on restore") Signed-off-by: Phil Sutter --- libiptc/libiptc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index 634f0bc76b91c..e475063367c26 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -822,7 +822,7 @@ static int __iptcc_p_del_policy(struct xtc_handle *h, unsigned int num) /* save counter and counter_map information */ h->chain_iterator_cur->counter_map.maptype = - COUNTER_MAP_ZEROED; + COUNTER_MAP_NORMAL_MAP; h->chain_iterator_cur->counter_map.mappos = num-1; memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters, sizeof(h->chain_iterator_cur->counters)); From patchwork Thu Aug 10 11:23:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1819802 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=RHEPOqDA; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4RM4LX2tSLz1yf6 for ; Thu, 10 Aug 2023 21:23:48 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232716AbjHJLXr (ORCPT ); Thu, 10 Aug 2023 07:23:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50676 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232354AbjHJLXq (ORCPT ); Thu, 10 Aug 2023 07:23:46 -0400 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28A7C2684 for ; Thu, 10 Aug 2023 04:23:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zQsuJ1wcVL7kZ8MdBh7Kee0pnETd0nUSD5w2Nh/yrk0=; b=RHEPOqDA0foPGMR2B+f0bFiTfq WzbZHEsbCibquP6eIKeFT9SChuEv3WNa2/GhM1Oh011ryhTiqJYd/Es+QBJBYvOZDIUOHbU8VDjzo vhM+hGoGtpPV26No9GqGN/r4HupMC+8C3jJe6P3cz7G4/DmiOP20OJ7kIWe/lyD6LPZ5nWtXh1MNf 3niAqcKvt3EN/NjK08mdlnAfnA4TUFdq7N+0VAsCi1BohMGmC5J/iMWaLj60OPGSRvj71j0E9RfRS P0+I8O6oaEOQrIzf6DTuafYmHv0R/Buro8Iip+CLSpRGdYvyc4EprXD8Pm0VkaJ+Tl9EEOoEF7brW Lbb6tSJw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1qU3lY-0004O3-Ix for netfilter-devel@vger.kernel.org; Thu, 10 Aug 2023 13:23:44 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH v2 3/3] tests: shell: Test chain policy counter behaviour Date: Thu, 10 Aug 2023 13:23:25 +0200 Message-Id: <20230810112325.20630-4-phil@nwl.cc> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230810112325.20630-1-phil@nwl.cc> References: <20230810112325.20630-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Test the last two fixes in that area. Signed-off-by: Phil Sutter --- .../shell/testcases/chain/0007counters_0 | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100755 iptables/tests/shell/testcases/chain/0007counters_0 diff --git a/iptables/tests/shell/testcases/chain/0007counters_0 b/iptables/tests/shell/testcases/chain/0007counters_0 new file mode 100755 index 0000000000000..0b21a92663299 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0007counters_0 @@ -0,0 +1,78 @@ +#!/bin/bash -e + +SETUP="*filter +:FORWARD ACCEPT [13:37] +-A FORWARD -c 1 2 -j ACCEPT +-A FORWARD -c 3 4 -j ACCEPT +COMMIT" + + +### -Z with index shall zero a single chain only + +EXPECT="-P FORWARD ACCEPT -c 13 37 +-A FORWARD -c 0 0 -j ACCEPT +-A FORWARD -c 3 4 -j ACCEPT" + +$XT_MULTI iptables-restore --counters <<< "$SETUP" +$XT_MULTI iptables -Z FORWARD 1 +diff -u <(echo "$EXPECT") <($XT_MULTI iptables -vS FORWARD) + + +### -Z without index shall zero the chain and all rules + +EXPECT="-P FORWARD ACCEPT -c 0 0 +-A FORWARD -c 0 0 -j ACCEPT +-A FORWARD -c 0 0 -j ACCEPT" + +$XT_MULTI iptables -Z FORWARD +diff -u <(echo "$EXPECT") <($XT_MULTI iptables -vS FORWARD) + + +### prepare for live test + +# iptables-nft will create output chain on demand, so make sure it exists +$XT_MULTI iptables -A OUTPUT -d 127.2.3.4 -j ACCEPT + +# test runs in its own netns, lo is there but down by default +ip link set lo up + + +### pings (and pongs) hit OUTPUT policy, its counters must increase + +get_pkt_counter() { # (CHAIN) + $XT_MULTI iptables -vS $1 | awk '/^-P '$1'/{print $5; exit}' +} + +counter_inc_test() { + pkt_pre=$(get_pkt_counter OUTPUT) + ping -q -i 0.2 -c 3 127.0.0.1 + pkt_post=$(get_pkt_counter OUTPUT) + [[ $pkt_post -gt $pkt_pre ]] +} + +counter_inc_test + +# iptables-nft-restore needed --counters to create chains with them +if [[ $XT_MULTI == *xtables-nft-multi ]]; then + $XT_MULTI iptables -F OUTPUT + $XT_MULTI iptables -X OUTPUT + $XT_MULTI iptables-restore </dev/null 2>&1) +COMMIT +EOF +nft list ruleset +pkt_post=$(get_pkt_counter OUTPUT) +[[ $pkt_post -eq $((pkt_pre + 6 )) ]]