| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250425091854.4b5964fd@kernel.org> Date: Fri, 25 Apr 2025 09:18:54 -0700 From: Jakub Kicinski <kuba@...nel.org> To: Pablo Neira Ayuso <pablo@...filter.org>, fw@...len.de Cc: netfilter-devel@...r.kernel.org, davem@...emloft.net, netdev@...r.kernel.org, pabeni@...hat.com, edumazet@...gle.com, horms@...nel.org Subject: Re: [PATCH net-next,v2 0/7] Netfilter updates for net-next On Thu, 24 Apr 2025 23:14:48 +0200 Pablo Neira Ayuso wrote: > v2: including fixes from Florian to address selftest issues > and a fix for set element count and type. Thanks, appreciated! All our networking tests now pass, but there seems to still be some breakage on the BPF side, so tools/testing/selftests/bpf/config needs touching up. I suppose while addressing the RT problem you're trying to move straggles off from the legacy stuff to nft? Which I'm entirely sympathetic to. But I'm worried that not everybody will be, and there's plenty of defconfigs which include iptables: $ git grep CONFIG_IP_NF_IPTABLES= | wc -l 54 At the end of the day it's up to you, but maybe sleep on it? :) And the BPF side needs fixing for sure, they will notice.. Error: #25 bpf_nf Error: #25/1 bpf_nf/xdp-ct Error: #25/1 bpf_nf/xdp-ct test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec test_bpf_nf_ct:FAIL:iptables-legacy -t raw -A PREROUTING -j CONNMARK --set-mark 42/0 unexpected error: 768 (errno 0) Error: #25/2 bpf_nf/tc-bpf-ct Error: #25/2 bpf_nf/tc-bpf-ct test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec test_bpf_nf_ct:FAIL:iptables-legacy -t raw -A PREROUTING -j CONNMARK --set-mark 42/0 unexpected error: 768 (errno 0) Error: #621 xdp_synproxy Error: #621/1 xdp_synproxy/xdp Error: #621/1 xdp_synproxy/xdp test_synproxy:PASS:ip netns add synproxy 0 nsec test_synproxy:PASS:ip link add tmp0 type veth peer name tmp1 0 nsec test_synproxy:PASS:ip link set tmp1 netns synproxy 0 nsec test_synproxy:PASS:ip link set tmp0 up 0 nsec test_synproxy:PASS:ip addr replace 198.18.0.1/24 dev tmp0 0 nsec test_synproxy:PASS:ethtool -K tmp0 tx off 0 nsec test_synproxy:PASS:ip link set tmp0 xdp object xdp_dummy.bpf.o section xdp 2> /dev/null 0 nsec test_synproxy:PASS:setns 0 nsec test_synproxy:PASS:ip link set lo up 0 nsec test_synproxy:PASS:ip link set tmp1 up 0 nsec test_synproxy:PASS:ip addr replace 198.18.0.2/24 dev tmp1 0 nsec test_synproxy:PASS:sysctl -w net.ipv4.tcp_syncookies=2 0 nsec test_synproxy:PASS:sysctl -w net.ipv4.tcp_timestamps=1 0 nsec test_synproxy:PASS:sysctl -w net.netfilter.nf_conntrack_tcp_loose=0 0 nsec test_synproxy:FAIL:iptables-legacy -t raw -I PREROUTING -i tmp1 -p tcp -m tcp --syn --dport 8080 -j CT --notrack unexpected error: 768 (errno 95) Error: #621/2 xdp_synproxy/tc Error: #621/2 xdp_synproxy/tc test_synproxy:PASS:ip netns add synproxy 0 nsec test_synproxy:PASS:ip link add tmp0 type veth peer name tmp1 0 nsec test_synproxy:PASS:ip link set tmp1 netns synproxy 0 nsec test_synproxy:PASS:ip link set tmp0 up 0 nsec test_synproxy:PASS:ip addr replace 198.18.0.1/24 dev tmp0 0 nsec test_synproxy:PASS:ethtool -K tmp0 tx off 0 nsec test_synproxy:PASS:setns 0 nsec test_synproxy:PASS:ip link set lo up 0 nsec test_synproxy:PASS:ip link set tmp1 up 0 nsec test_synproxy:PASS:ip addr replace 198.18.0.2/24 dev tmp1 0 nsec test_synproxy:PASS:sysctl -w net.ipv4.tcp_syncookies=2 0 nsec test_synproxy:PASS:sysctl -w net.ipv4.tcp_timestamps=1 0 nsec test_synproxy:PASS:sysctl -w net.netfilter.nf_conntrack_tcp_loose=0 0 nsec test_synproxy:FAIL:iptables-legacy -t raw -I PREROUTING -i tmp1 -p tcp -m tcp --syn --dport 8080 -j CT --notrack unexpected error: 768 (errno 95) https://github.com/kernel-patches/bpf/actions/runs/14667575264/job/41166480606
Powered by blists - more mailing lists