netfilter: nf_tables: netlink api rebase on net.git (!3028) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Florian Westphal requested to merge fwestpha/centos-stream-9-fw:jira1720 into main Sep 07, 2023

JIRA: https://issues.redhat.com/browse/RHEL-1720 JIRA: https://issues.redhat.com/browse/RHEL-1721 Upstream Status: all upstream except top most patch CVE: CVE-2023-4244 Omitted-fix: ebd032fa8818 ("netfilter: nf_tables: do not remove elements if set backend implements .abort")

This is a major rebase to get the set element garbage collection into RHEL. This rework was necessary to address race conditions between the netlink control plane, the datapath (set element insertion/removal via nft_dynset expression from the nftables ruleset) and the asynchronous garbage collection to remove timed-out elements.

With this rework, all set element removals happen under protection of the transaction mutex, similar to how netlink control plane add/removal is done.

Removal from async worker queues the removal requests via work queue, work queue then can serialize this via mutex.

The topmost patch resolves a problem that occurs with the nftables version shipped with RHEL, see description for details.

The omitted fix has been reverted uptream.

Signed-off-by: Florian Westphal fwestpha@redhat.com

Edited Oct 19, 2023 by Florian Westphal

netfilter: nf_tables: netlink api rebase on net.git

Merge request reports