Re: [PATCH nf-next] netfilter: nf_tables: Expose socket mark

Thu, 12 Jul 2018 08:15:37 -0700 

On Thu, Jul 12, 2018 at 04:26:54PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jul 12, 2018 at 12:52:16AM +0200, Máté Eckl wrote:
> > Signed-off-by: Máté Eckl <eckl...@gmail.com>
> > ---
> >  include/uapi/linux/netfilter/nf_tables.h |  4 +++-
> >  net/netfilter/nft_socket.c               | 11 ++++++++++-
> >  2 files changed, 13 insertions(+), 2 deletions(-)
> > 
> > diff --git a/include/uapi/linux/netfilter/nf_tables.h 
> > b/include/uapi/linux/netfilter/nf_tables.h
> > index 89438e68dc03..f466860bcf75 100644
> > --- a/include/uapi/linux/netfilter/nf_tables.h
> > +++ b/include/uapi/linux/netfilter/nf_tables.h
> > @@ -921,10 +921,12 @@ enum nft_socket_attributes {
> >  /*
> >   * enum nft_socket_keys - nf_tables socket expression keys
> >   *
> > - * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
> > + * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
> > + * @NFT_SOCKET_MARK: Value of the socket mark
> >   */
> >  enum nft_socket_keys {
> >     NFT_SOCKET_TRANSPARENT,
> > +   NFT_SOCKET_MARK,
> >     __NFT_SOCKET_MAX
> >  };
> >  #define NFT_SOCKET_MAX     (__NFT_SOCKET_MAX - 1)
> > diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
> > index 74e1b3bd6954..3f46b2013e26 100644
> > --- a/net/netfilter/nft_socket.c
> > +++ b/net/netfilter/nft_socket.c
> > @@ -40,7 +40,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
> >             }
> >  
> >     if(!sk) {
> > -           nft_reg_store8(dest, 0);
> > +           *dest = 0;
> >             return;
> 
> I think this should be:
> 
>         if (!sk)
>                 regs->verdict.code = NFT_BREAK;
> 
> So we make sure we skip further evaluation, because zero may be a
> valid mark.
> 
> or better:
> 
>         if (!sk)
>                 goto out:
>         ...
> out:
>         regs->verdict.code = NFT_BREAK;
> 
> so you consolidate this evaluation break path.
> 
> An initial patch to fix what we have would be good to have.
> 
> >     }
> >  
> > @@ -51,6 +51,12 @@ static void nft_socket_eval(const struct nft_expr *expr,
> >     case NFT_SOCKET_TRANSPARENT:
> >             nft_reg_store8(dest, inet_sk_transparent(sk));
> >             break;
> > +   case NFT_SOCKET_MARK:
> > +           if (sk_fullsock(sk))
> > +                   *dest = inet_request_mark(sk, skb);
> > +           else
> > +                   *dest = 0;
> 
> Again, better break evaluation here, so I would do:
> 
>                 if (!sk_fullsock(sk))
>                         goto out;
> 
> ...
> out:
>         regs->verdict.code = NFT_BREAK;
> 
> Thanks.

Thanks for the observation, you are right, it should break evaluation. I'll fix
this too.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to