| Message ID | 1db5b6cc6902c5fc6f8c6cbd85494a2008087be5.1718488050.git.lucien.xin@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 88c67aeb14070bab61d3dd8be96c8b42ebcaf53a |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] sched: act_ct: add netns into the key of tcf_ct_flow_table | expand |
On Sat, Jun 15, 2024 at 05:47:30PM -0400, Xin Long wrote: > zones_ht is a global hashtable for flow_table with zone as key. However, > it does not consider netns when getting a flow_table from zones_ht in > tcf_ct_init(), and it means an act_ct action in netns A may get a > flow_table that belongs to netns B if it has the same zone value. > > In Shuang's test with the TOPO: > > tcf2_c <---> tcf2_sw1 <---> tcf2_sw2 <---> tcf2_s > > tcf2_sw1 and tcf2_sw2 saw the same flow and used the same flow table, > which caused their ct entries entering unexpected states and the > TCP connection not able to end normally. > > This patch fixes the issue simply by adding netns into the key of > tcf_ct_flow_table so that an act_ct action gets a flow_table that > belongs to its own netns in tcf_ct_init(). > > Note that for easy coding we don't use tcf_ct_flow_table.nf_ft.net, > as the ct_ft is initialized after inserting it to the hashtable in > tcf_ct_flow_table_get() and also it requires to implement several > functions in rhashtable_params including hashfn, obj_hashfn and > obj_cmpfn. > > Fixes: 64ff70b80fd4 ("net/sched: act_ct: Offload established connections to flow table") > Reported-by: Shuang Li <shuali@redhat.com> > Signed-off-by: Xin Long <lucien.xin@gmail.com> Reviewed-by: Simon Horman <horms@kernel.org>
Hello: This patch was applied to netdev/net.git (main) by Paolo Abeni <pabeni@redhat.com>: On Sat, 15 Jun 2024 17:47:30 -0400 you wrote: > zones_ht is a global hashtable for flow_table with zone as key. However, > it does not consider netns when getting a flow_table from zones_ht in > tcf_ct_init(), and it means an act_ct action in netns A may get a > flow_table that belongs to netns B if it has the same zone value. > > In Shuang's test with the TOPO: > > [...] Here is the summary with links: - [net] sched: act_ct: add netns into the key of tcf_ct_flow_table https://git.kernel.org/netdev/net/c/88c67aeb1407 You are awesome, thank you!
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index baac083fd8f1..2a96d9c1db65 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -41,21 +41,26 @@ static struct workqueue_struct *act_ct_wq; static struct rhashtable zones_ht; static DEFINE_MUTEX(zones_mutex); +struct zones_ht_key { + struct net *net; + u16 zone; +}; + struct tcf_ct_flow_table { struct rhash_head node; /* In zones tables */ struct rcu_work rwork; struct nf_flowtable nf_ft; refcount_t ref; - u16 zone; + struct zones_ht_key key; bool dying; }; static const struct rhashtable_params zones_params = { .head_offset = offsetof(struct tcf_ct_flow_table, node), - .key_offset = offsetof(struct tcf_ct_flow_table, zone), - .key_len = sizeof_field(struct tcf_ct_flow_table, zone), + .key_offset = offsetof(struct tcf_ct_flow_table, key), + .key_len = sizeof_field(struct tcf_ct_flow_table, key), .automatic_shrinking = true, }; @@ -316,11 +321,12 @@ static struct nf_flowtable_type flowtable_ct = { static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params) { + struct zones_ht_key key = { .net = net, .zone = params->zone }; struct tcf_ct_flow_table *ct_ft; int err = -ENOMEM; mutex_lock(&zones_mutex); - ct_ft = rhashtable_lookup_fast(&zones_ht, ¶ms->zone, zones_params); + ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) goto out_unlock; @@ -329,7 +335,7 @@ static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params) goto err_alloc; refcount_set(&ct_ft->ref, 1); - ct_ft->zone = params->zone; + ct_ft->key = key; err = rhashtable_insert_fast(&zones_ht, &ct_ft->node, zones_params); if (err) goto err_insert;
zones_ht is a global hashtable for flow_table with zone as key. However, it does not consider netns when getting a flow_table from zones_ht in tcf_ct_init(), and it means an act_ct action in netns A may get a flow_table that belongs to netns B if it has the same zone value. In Shuang's test with the TOPO: tcf2_c <---> tcf2_sw1 <---> tcf2_sw2 <---> tcf2_s tcf2_sw1 and tcf2_sw2 saw the same flow and used the same flow table, which caused their ct entries entering unexpected states and the TCP connection not able to end normally. This patch fixes the issue simply by adding netns into the key of tcf_ct_flow_table so that an act_ct action gets a flow_table that belongs to its own netns in tcf_ct_init(). Note that for easy coding we don't use tcf_ct_flow_table.nf_ft.net, as the ct_ft is initialized after inserting it to the hashtable in tcf_ct_flow_table_get() and also it requires to implement several functions in rhashtable_params including hashfn, obj_hashfn and obj_cmpfn. Fixes: 64ff70b80fd4 ("net/sched: act_ct: Offload established connections to flow table") Reported-by: Shuang Li <shuali@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> --- net/sched/act_ct.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-)