Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp771478rdb; Fri, 2 Feb 2024 03:44:07 -0800 (PST) X-Google-Smtp-Source: AGHT+IFO4pgA3PtkQM+r21tzT6rzB8dG2VNQ70u8NY5qXF2CwWjEzMfVUMJ05qCCgP71MMLtrpUg X-Received: by 2002:a4a:c4c8:0:b0:599:f8d5:8a66 with SMTP id g8-20020a4ac4c8000000b00599f8d58a66mr1895760ooq.0.1706874247443; Fri, 02 Feb 2024 03:44:07 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706874247; cv=pass; d=google.com; s=arc-20160816; b=K4kHA4pUGd3z2ZeEQdpvWpg6hZc2u7hZuNRe+lA26ASDmV/h1C8LcJWKUXZXtsYXPS 78biDHxGkKEE/rMj+/6i/M5ILQ4kzz6g2NIkk2apq3QgdL7nGeubSYURxzL0SJl/oHEk bh6hbBYEPkV3X8WEwkI2oZL04zIkSGfgtH/xgFZxZoQoWR91mVvuXkB3ssfH2V/u+Qpl BqEKXVxu6e3L+xoZRE6HTBj1dOiIZSgDAMQ/odXQWTRztl3Dmm6VFeVcV3ylHt96UDeu DYZr3Hsu+1hueBZs1qPubTkPoMgcw6QzJZ2QPayzXnTYg+pw9ECZ4/NX8PozexnARtPA staA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:autocrypt:from:references:cc :to:content-language:subject:user-agent:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:date:message-id; bh=XwUWFOzQ8aWGxpQ2P8DutW5a6eAW98hgrYdwXY0fOu4=; fh=jVYocjucNFtLLVf0WE5uBjWv07eeXspfx8MWJxi1fu4=; b=lznqG/2EhubN77oQQsMMwo7+MQ/NQLFgOoR65PyDUBsD0L+YCMHq9kR2gymvDAhF2R CRhggyxR+MOU0hlgVEN/xb4tFCoAmZq7AgjNzbChpCnoa5PXmUv9ez0i/QB0Unx/c0q3 b4bSS7vELz41O44nis0gznGdPBBWvXuNvYwqpW8UFX4xCulFRfYW9DKxx+FHue5yaFP6 HxyuZ1h6KTDha5kSV4T3FCUteigkBccm6rIaxt9J3r5VtYLDCRgiGrIIkLld5Qm7LWRy QVtLq9X80pc5oApAU40blQe+9xVERmFW+1nMSoeZPQfw290yFRkRz+M3ldEcew7GS5Ah 8SuQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=ovn.org); spf=pass (google.com: domain of linux-kernel+bounces-49726-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-49726-linux.lists.archive=gmail.com@vger.kernel.org" X-Forwarded-Encrypted: i=1; AJvYcCWroNiKc+jPSB3PsZXO9UhqLMi3rsRxRfN9k0mun1HRrXpOM/MCB4+qS/0lkJn3gP5JR/QL1prS26Y+ASuYmh1Xu/14C+kJ55ncTzCcsw== Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id j10-20020a65428a000000b005d8e3c86163si1523353pgp.142.2024.02.02.03.44.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Feb 2024 03:44:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-49726-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=ovn.org); spf=pass (google.com: domain of linux-kernel+bounces-49726-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-49726-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 13D57B2C8C8 for ; Fri, 2 Feb 2024 11:04:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9057813BEBD; Fri, 2 Feb 2024 11:04:00 +0000 (UTC) Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 018C5171AA; Fri, 2 Feb 2024 11:03:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.196 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706871840; cv=none; b=tdwzIKAqCMhfsdbIGSgPvqqm5/uVGHMjs4NvkyUsHn6Aw+M3C1hscfYD1xHXXcuiNuOYaGMpe1jfqUS3w3HF00tyjw1c1GSiTI2SCfn7k2B12JRBOjnf+Hfkp1BrATxNUWGfKpUvVgUSoGOQ9FjJJ9tFmw2hqxnrCuH9j/pc4iM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706871840; c=relaxed/simple; bh=U1eRgjBCzm2fUntv469++7/XQcqvss8//usk2L8DuD4=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=nmJpvQierywIBC9cRiCW685E0DRtSExE15gG5uJjqMBXHjpLU9XtnGcS6NmionYgPj2F7bjm5bsHvOLtQPpT70CwiM6dfApQAg7JIws9mBYJszOTmlOX/jS1CCMLHe8tAaNM2NP5Jha8DHBO6mBAXwVlPP8D+0GT4TS7u8IuioI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=ovn.org; spf=pass smtp.mailfrom=ovn.org; arc=none smtp.client-ip=217.70.183.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=ovn.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ovn.org Received: by mail.gandi.net (Postfix) with ESMTPSA id AF641E0005; Fri, 2 Feb 2024 11:03:52 +0000 (UTC) Message-ID: <2032238f-31ac-4106-8f22-522e76df5a12@ovn.org> Date: Fri, 2 Feb 2024 12:04:35 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH net-next v2] net: ctnetlink: support filtering by zone Content-Language: en-US To: Pablo Neira Ayuso , Felix Huettner Cc: linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, shuah@kernel.org, luca.czesla@mail.schwarz, max.lamprecht@mail.schwarz, i.maximets@ovn.org, Simon Horman References: From: Ilya Maximets Autocrypt: addr=i.maximets@ovn.org; keydata= xsFNBF77bOMBEADVZQ4iajIECGfH3hpQMQjhIQlyKX4hIB3OccKl5XvB/JqVPJWuZQRuqNQG /B70MP6km95KnWLZ4H1/5YOJK2l7VN7nO+tyF+I+srcKq8Ai6S3vyiP9zPCrZkYvhqChNOCF pNqdWBEmTvLZeVPmfdrjmzCLXVLi5De9HpIZQFg/Ztgj1AZENNQjYjtDdObMHuJQNJ6ubPIW cvOOn4WBr8NsP4a2OuHSTdVyAJwcDhu+WrS/Bj3KlQXIdPv3Zm5x9u/56NmCn1tSkLrEgi0i /nJNeH5QhPdYGtNzPixKgPmCKz54/LDxU61AmBvyRve+U80ukS+5vWk8zvnCGvL0ms7kx5sA tETpbKEV3d7CB3sQEym8B8gl0Ux9KzGp5lbhxxO995KWzZWWokVUcevGBKsAx4a/C0wTVOpP FbQsq6xEpTKBZwlCpxyJi3/PbZQJ95T8Uw6tlJkPmNx8CasiqNy2872gD1nN/WOP8m+cIQNu o6NOiz6VzNcowhEihE8Nkw9V+zfCxC8SzSBuYCiVX6FpgKzY/Tx+v2uO4f/8FoZj2trzXdLk BaIiyqnE0mtmTQE8jRa29qdh+s5DNArYAchJdeKuLQYnxy+9U1SMMzJoNUX5uRy6/3KrMoC/ 7zhn44x77gSoe7XVM6mr/mK+ViVB7v9JfqlZuiHDkJnS3yxKPwARAQABzSJJbHlhIE1heGlt ZXRzIDxpLm1heGltZXRzQG92bi5vcmc+wsGUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMB Ah4BAheAFiEEh+ma1RKWrHCY821auffsd8gpv5YFAmP+Y/MFCQjFXhAACgkQuffsd8gpv5Yg OA//eEakvE7xTHNIMdLW5r3XnWSEY44dFDEWTLnS7FbZLLHxPNFXN0GSAA8ZsJ3fE26O5Pxe EEFTf7R/W6hHcSXNK4c6S8wR4CkTJC3XOFJchXCdgSc7xS040fLZwGBuO55WT2ZhQvZj1PzT 8Fco8QKvUXr07saHUaYk2Lv2mRhEPP9zsyy7C2T9zUzG04a3SGdP55tB5Adi0r/Ea+6VJoLI ctN8OaF6BwXpag8s76WAyDx8uCCNBF3cnNkQrCsfKrSE2jrvrJBmvlR3/lJ0OYv6bbzfkKvo 0W383EdxevzAO6OBaI2w+wxBK92SMKQB3R0ZI8/gqCokrAFKI7gtnyPGEKz6jtvLgS3PeOtf 5D7PTz+76F/X6rJGTOxR3bup+w1bP/TPHEPa2s7RyJISC07XDe24n9ZUlpG5ijRvfjbCCHb6 pOEijIj2evcIsniTKER2pL+nkYtx0bp7dZEK1trbcfglzte31ZSOsfme74u5HDxq8/rUHT01 51k/vvUAZ1KOdkPrVEl56AYUEsFLlwF1/j9mkd7rUyY3ZV6oyqxV1NKQw4qnO83XiaiVjQus K96X5Ea+XoNEjV4RdxTxOXdDcXqXtDJBC6fmNPzj4QcxxyzxQUVHJv67kJOkF4E+tJza+dNs 8SF0LHnPfHaSPBFrc7yQI9vpk1XBxQWhw6oJgy3OwU0EXvts4wEQANCXyDOic0j2QKeyj/ga OD1oKl44JQfOgcyLVDZGYyEnyl6b/tV1mNb57y/YQYr33fwMS1hMj9eqY6tlMTNz+ciGZZWV YkPNHA+aFuPTzCLrapLiz829M5LctB2448bsgxFq0TPrr5KYx6AkuWzOVq/X5wYEM6djbWLc VWgJ3o0QBOI4/uB89xTf7mgcIcbwEf6yb/86Cs+jaHcUtJcLsVuzW5RVMVf9F+Sf/b98Lzrr 2/mIB7clOXZJSgtV79Alxym4H0cEZabwiXnigjjsLsp4ojhGgakgCwftLkhAnQT3oBLH/6ix 87ahawG3qlyIB8ZZKHsvTxbWte6c6xE5dmmLIDN44SajAdmjt1i7SbAwFIFjuFJGpsnfdQv1 OiIVzJ44kdRJG8kQWPPua/k+AtwJt/gjCxv5p8sKVXTNtIP/sd3EMs2xwbF8McebLE9JCDQ1 RXVHceAmPWVCq3WrFuX9dSlgf3RWTqNiWZC0a8Hn6fNDp26TzLbdo9mnxbU4I/3BbcAJZI9p 9ELaE9rw3LU8esKqRIfaZqPtrdm1C+e5gZa2gkmEzG+WEsS0MKtJyOFnuglGl1ZBxR1uFvbU VXhewCNoviXxkkPk/DanIgYB1nUtkPC+BHkJJYCyf9Kfl33s/bai34aaxkGXqpKv+CInARg3 fCikcHzYYWKaXS6HABEBAAHCwXwEGAEIACYCGwwWIQSH6ZrVEpascJjzbVq59+x3yCm/lgUC Y/5kJAUJCMVeQQAKCRC59+x3yCm/lpF7D/9Lolx00uxqXz2vt/u9flvQvLsOWa+UBmWPGX9u oWhQ26GjtbVvIf6SECcnNWlu/y+MHhmYkz+h2VLhWYVGJ0q03XkktFCNwUvHp3bTXG3IcPIC eDJUVMMIHXFp7TcuRJhrGqnlzqKverlY6+2CqtCpGMEmPVahMDGunwqFfG65QubZySCHVYvX T9SNga0Ay/L71+eVwcuGChGyxEWhVkpMVK5cSWVzZe7C+gb6N1aTNrhu2dhpgcwe1Xsg4dYv dYzTNu19FRpfc+nVRdVnOto8won1SHGgYSVJA+QPv1x8lMYqKESOHAFE/DJJKU8MRkCeSfqs izFVqTxTk3VXOCMUR4t2cbZ9E7Qb/ZZigmmSgilSrOPgDO5TtT811SzheAN0PvgT+L1Gsztc Q3BvfofFv3OLF778JyVfpXRHsn9rFqxG/QYWMqJWi+vdPJ5RhDl1QUEFyH7ok/ZY60/85FW3 o9OQwoMf2+pKNG3J+EMuU4g4ZHGzxI0isyww7PpEHx6sxFEvMhsOp7qnjPsQUcnGIIiqKlTj H7i86580VndsKrRK99zJrm4s9Tg/7OFP1SpVvNvSM4TRXSzVF25WVfLgeloN1yHC5Wsqk33X XNtNovqA0TLFjhfyyetBsIOgpGakgBNieC9GnY7tC3AG+BqG5jnVuGqSTO+iM/d+lsoa+w== In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-GND-Sasl: i.maximets@ovn.org On 12/22/23 13:01, Pablo Neira Ayuso wrote: > On Mon, Nov 27, 2023 at 11:49:16AM +0000, Felix Huettner wrote: >> conntrack zones are heavily used by tools like openvswitch to run >> multiple virtual "routers" on a single machine. In this context each >> conntrack zone matches to a single router, thereby preventing >> overlapping IPs from becoming issues. >> In these systems it is common to operate on all conntrack entries of a >> given zone, e.g. to delete them when a router is deleted. Previously this >> required these tools to dump the full conntrack table and filter out the >> relevant entries in userspace potentially causing performance issues. >> >> To do this we reuse the existing CTA_ZONE attribute. This was previous >> parsed but not used during dump and flush requests. Now if CTA_ZONE is >> set we filter these operations based on the provided zone. >> However this means that users that previously passed CTA_ZONE will >> experience a difference in functionality. >> >> Alternatively CTA_FILTER could have been used for the same >> functionality. However it is not yet supported during flush requests and >> is only available when using AF_INET or AF_INET6. > > For the record, this is applied to nf-next. Hi, Felix and Pablo. I was looking through the code and the following part is bothering me: diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index fb0ae15e96df..4e9133f61251 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1148,6 +1149,10 @@ static int ctnetlink_filter_match(struct nf_conn *ct, void *data) if (filter->family && nf_ct_l3num(ct) != filter->family) goto ignore_entry; + if (filter->zone.id != NF_CT_DEFAULT_ZONE_ID && + !nf_ct_zone_equal_any(ct, &filter->zone)) + goto ignore_entry; + if (filter->orig_flags) { tuple = nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL); if (!ctnetlink_filter_match_tuple(&filter->orig, tuple, If I'm reading that right, the default zone is always flushed, even if the user requested to flush a different zone. I.e. the entry is never ignored for a default zone. Is that correct or am I reading that wrong? If my observation is correct, then I don't think this functionality can actually be used by applications as it does something unexpected. Best regards, Ilya Maximets.