lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAD4GDZw0RW3B2n5vC-q-XLpQ_bCg0iP13qvOa=cjK37CPLJsKg@mail.gmail.com>
Date: Fri, 29 Mar 2024 21:01:09 +0000
From: Donald Hunter <donald.hunter@...il.com>
To: Jakub Kicinski <kuba@...nel.org>
Cc: netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>, 
	Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Jiri Pirko <jiri@...nulli.us>, 
	Jacob Keller <jacob.e.keller@...el.com>, Stanislav Fomichev <sdf@...gle.com>, donald.hunter@...hat.com
Subject: Re: [PATCH net-next v1 2/2] tools/net/ynl: Add multi message support
 to ynl

On Fri, 29 Mar 2024 at 18:58, Donald Hunter <donald.hunter@...il.com> wrote:
>
> Jakub Kicinski <kuba@...nel.org> writes:
>
> > Looking at the code again, are you sure we'll process all the responses
> > not just the first one?
> >
> > Shouldn't this:
> >
> > +                    del reqs_by_seq[nl_msg.nl_seq]
> >                      done = True
> >
> > be something like:
> >
> >               del reqs_by_seq[nl_msg.nl_seq]
> >               done = len(reqs_by_seq) == 0
> >
>
> Hmm yes, that's a good catch. I need to check the DONE semantics for
> these nftables batch operations.

Well that's a problem:

./tools/net/ynl/cli.py \
     --spec Documentation/netlink/specs/nftables.yaml \
     --multi batch-begin '{"res-id": 10}' \
     --multi newtable '{"name": "test", "nfgen-family": 1}' \
     --multi newchain '{"name": "chain", "table": "test", "nfgen-family": 1}' \
     --multi batch-end '{"res-id": 10}'
Adding: 20778
Adding: 20779
Adding: 20780
Adding: 20781
Done: 20779
Done: 20780

There's no response for 'batch-begin' or 'batch-end'. We may need a
per op spec property to tell us if a request will be acknowledged.

> > Would be good to add an example of multi executing some get operations.
>
> I think this was a blind spot on my part because nftables doesn't
> support batch for get operations:
>
> https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L9092
>
> I'll need to try using multi for gets without any batch messages and see how
> everything behaves.

Okay, so it can be made to work. Will incorporate into the next revision:

./tools/net/ynl/cli.py \
     --spec Documentation/netlink/specs/nftables.yaml \
     --multi gettable '{"name": "test", "nfgen-family": 1}' \
     --multi getchain '{"name": "chain", "table": "test", "nfgen-family": 1}'
[{'flags': set(),
  'handle': 10,
  'name': 'test',
  'nfgen-family': 1,
  'res-id': 200,
  'use': 1,
  'version': 0},
 {'handle': 1,
  'name': 'chain',
  'nfgen-family': 1,
  'res-id': 200,
  'table': 'test',
  'use': 0,
  'version': 0}]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ