Re: [PATCH nf-next,v3 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

[kbuild test robot]

Hi Pablo,

I love your patch! Yet something to improve:

[auto build test ERROR on nf-next/master]
[also build test ERROR on v4.17-rc5]
[cannot apply to nf/master next-20180517]
[if your patch is applied to the wrong git tree, please drop us a note to help 
improve the system]

url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180518-093914
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: mips-fuloong2e_defconfig (attached as .config)
compiler: mips64el-linux-gnuabi64-gcc (Debian 7.2.0-11) 7.2.0
reproduce:
wget 
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O 
~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=mips 

All errors (new ones prefixed by >>):

>> ERROR: "nf_ct_hook" [net/netfilter/nfnetlink_queue.ko] undefined!

---
0-DAY kernel test infrastructureOpen Source Technology Center
https://lists.01.org/pipermail/kbuild-all   Intel Corporation


.config.gz
Description: application/gzip

Re: [PATCH ghak81 V3 1/3] audit: use new audit_context access funciton for seccomp_actions_logged

[Paul Moore]

On Wed, May 16, 2018 at 7:55 AM, Richard Guy Briggs  wrote:
> On the rebase of the following commit on the new seccomp actions_logged
> function, one audit_context access was missed.
>
> commit cdfb6b341f0f2409aba24b84f3b4b2bba50be5c5
> ("audit: use inline function to get audit context")
>
> Signed-off-by: Richard Guy Briggs 
> ---
>  kernel/auditsc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Merged into audit/next, thanks for the follow-up.

> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index cbab0da..f3d3dc6 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2497,7 +2497,7 @@ void audit_seccomp_actions_logged(const char *names, 
> const char *old_names,
> if (!audit_enabled)
> return;
>
> -   ab = audit_log_start(current->audit_context, GFP_KERNEL,
> +   ab = audit_log_start(audit_context(), GFP_KERNEL,
>  AUDIT_CONFIG_CHANGE);
> if (unlikely(!ab))
> return;
> --
> 1.8.3.1

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH ghak81 V3 3/3] audit: collect audit task parameters

[Paul Moore]

On Wed, May 16, 2018 at 7:55 AM, Richard Guy Briggs  wrote:
> The audit-related parameters in struct task_struct should ideally be
> collected together and accessed through a standard audit API.
>
> Collect the existing loginuid, sessionid and audit_context together in a
> new struct audit_task_info called "audit" in struct task_struct.
>
> Use kmem_cache to manage this pool of memory.
> Un-inline audit_free() to be able to always recover that memory.
>
> See: https://github.com/linux-audit/audit-kernel/issues/81
>
> Signed-off-by: Richard Guy Briggs 
> ---
>  include/linux/audit.h | 34 --
>  include/linux/sched.h |  5 +
>  init/init_task.c  |  3 +--
>  init/main.c   |  2 ++
>  kernel/auditsc.c  | 51 
> ++-
>  kernel/fork.c |  2 +-
>  6 files changed, 71 insertions(+), 26 deletions(-)

As discussed on-list and offline, I'm going to hold off on this change
until the audit container ID work is father along.  That is the main
driver for this change, and until that is closer to ready I just can't
justify the extra overhead.

> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 69c7847..4f824c4 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -216,8 +216,15 @@ static inline void audit_log_task_info(struct 
> audit_buffer *ab,
>
>  /* These are defined in auditsc.c */
> /* Public API */
> +struct audit_task_info {
> +   kuid_t  loginuid;
> +   unsigned intsessionid;
> +   struct audit_context*ctx;
> +};
> +extern struct audit_task_info init_struct_audit;
> +extern void __init audit_task_init(void);
>  extern int  audit_alloc(struct task_struct *task);
> -extern void __audit_free(struct task_struct *task);
> +extern void audit_free(struct task_struct *task);
>  extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long 
> a1,
>   unsigned long a2, unsigned long a3);
>  extern void __audit_syscall_exit(int ret_success, long ret_value);
> @@ -239,12 +246,15 @@ extern void audit_seccomp_actions_logged(const char 
> *names,
>
>  static inline void audit_set_context(struct task_struct *task, struct 
> audit_context *ctx)
>  {
> -   task->audit_context = ctx;
> +   task->audit->ctx = ctx;
>  }
>
>  static inline struct audit_context *audit_context(void)
>  {
> -   return current->audit_context;
> +   if (current->audit)
> +   return current->audit->ctx;
> +   else
> +   return NULL;
>  }
>
>  static inline bool audit_dummy_context(void)
> @@ -252,11 +262,7 @@ static inline bool audit_dummy_context(void)
> void *p = audit_context();
> return !p || *(int *)p;
>  }
> -static inline void audit_free(struct task_struct *task)
> -{
> -   if (unlikely(task->audit_context))
> -   __audit_free(task);
> -}
> +
>  static inline void audit_syscall_entry(int major, unsigned long a0,
>unsigned long a1, unsigned long a2,
>unsigned long a3)
> @@ -328,12 +334,18 @@ extern int auditsc_get_stamp(struct audit_context *ctx,
>
>  static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
>  {
> -   return tsk->loginuid;
> +   if (tsk->audit)
> +   return tsk->audit->loginuid;
> +   else
> +   return INVALID_UID;
>  }
>
>  static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
>  {
> -   return tsk->sessionid;
> +   if (tsk->audit)
> +   return tsk->audit->sessionid;
> +   else
> +   return AUDIT_SID_UNSET;
>  }
>
>  extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
> @@ -458,6 +470,8 @@ static inline void audit_fanotify(unsigned int response)
>  extern int audit_n_rules;
>  extern int audit_signals;
>  #else /* CONFIG_AUDITSYSCALL */
> +static inline void __init audit_task_init(void)
> +{ }
>  static inline int audit_alloc(struct task_struct *task)
>  {
> return 0;
> diff --git a/include/linux/sched.h b/include/linux/sched.h
> index b3d697f..6a5db0e 100644
> --- a/include/linux/sched.h
> +++ b/include/linux/sched.h
> @@ -29,7 +29,6 @@
>  #include 
>
>  /* task_struct member predeclarations (sorted alphabetically): */
> -struct audit_context;
>  struct backing_dev_info;
>  struct bio_list;
>  struct blk_plug;
> @@ -832,10 +831,8 @@ struct task_struct {
>
> struct callback_head*task_works;
>
> -   struct audit_context*audit_context;
>  #ifdef CONFIG_AUDITSYSCALL
> -   kuid_t  loginuid;
> -   unsigned intsessionid;
> +   struct audit_task_info  *audit;
>  #endif
> struct seccomp  seccomp;
>
> diff --git a/init/init_task.c b/init/init_task.c
> index 

Re: [PATCH ghak81 V3 2/3] audit: normalize loginuid read access

[Paul Moore]

On Wed, May 16, 2018 at 7:55 AM, Richard Guy Briggs  wrote:
> Recognizing that the loginuid is an internal audit value, use an access
> function to retrieve the audit loginuid value for the task rather than
> reaching directly into the task struct to get it.
>
> Signed-off-by: Richard Guy Briggs 
> ---
>  kernel/auditsc.c | 24 +++-
>  1 file changed, 15 insertions(+), 9 deletions(-)

Also merged into audit/next.

> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index f3d3dc6..ef3e189 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -374,7 +374,7 @@ static int audit_field_compare(struct task_struct *tsk,
> case AUDIT_COMPARE_EGID_TO_OBJ_GID:
> return audit_compare_gid(cred->egid, name, f, ctx);
> case AUDIT_COMPARE_AUID_TO_OBJ_UID:
> -   return audit_compare_uid(tsk->loginuid, name, f, ctx);
> +   return audit_compare_uid(audit_get_loginuid(tsk), name, f, 
> ctx);
> case AUDIT_COMPARE_SUID_TO_OBJ_UID:
> return audit_compare_uid(cred->suid, name, f, ctx);
> case AUDIT_COMPARE_SGID_TO_OBJ_GID:
> @@ -385,7 +385,8 @@ static int audit_field_compare(struct task_struct *tsk,
> return audit_compare_gid(cred->fsgid, name, f, ctx);
> /* uid comparisons */
> case AUDIT_COMPARE_UID_TO_AUID:
> -   return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
> +   return audit_uid_comparator(cred->uid, f->op,
> +   audit_get_loginuid(tsk));
> case AUDIT_COMPARE_UID_TO_EUID:
> return audit_uid_comparator(cred->uid, f->op, cred->euid);
> case AUDIT_COMPARE_UID_TO_SUID:
> @@ -394,11 +395,14 @@ static int audit_field_compare(struct task_struct *tsk,
> return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
> /* auid comparisons */
> case AUDIT_COMPARE_AUID_TO_EUID:
> -   return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
> +   return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
> +   cred->euid);
> case AUDIT_COMPARE_AUID_TO_SUID:
> -   return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
> +   return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
> +   cred->suid);
> case AUDIT_COMPARE_AUID_TO_FSUID:
> -   return audit_uid_comparator(tsk->loginuid, f->op, 
> cred->fsuid);
> +   return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
> +   cred->fsuid);
> /* euid comparisons */
> case AUDIT_COMPARE_EUID_TO_SUID:
> return audit_uid_comparator(cred->euid, f->op, cred->suid);
> @@ -611,7 +615,8 @@ static int audit_filter_rules(struct task_struct *tsk,
> result = match_tree_refs(ctx, rule->tree);
> break;
> case AUDIT_LOGINUID:
> -   result = audit_uid_comparator(tsk->loginuid, f->op, 
> f->uid);
> +   result = audit_uid_comparator(audit_get_loginuid(tsk),
> + f->op, f->uid);
> break;
> case AUDIT_LOGINUID_SET:
> result = audit_comparator(audit_loginuid_set(tsk), 
> f->op, f->val);
> @@ -2278,14 +2283,15 @@ int audit_signal_info(int sig, struct task_struct *t)
>  {
> struct audit_aux_data_pids *axp;
> struct audit_context *ctx = audit_context();
> -   kuid_t uid = current_uid(), t_uid = task_uid(t);
> +   kuid_t uid = current_uid(), auid, t_uid = task_uid(t);
>
> if (auditd_test_task(t) &&
> (sig == SIGTERM || sig == SIGHUP ||
>  sig == SIGUSR1 || sig == SIGUSR2)) {
> audit_sig_pid = task_tgid_nr(current);
> -   if (uid_valid(current->loginuid))
> -   audit_sig_uid = current->loginuid;
> +   auid = audit_get_loginuid(current);
> +   if (uid_valid(auid))
> +   audit_sig_uid = auid;
> else
> audit_sig_uid = uid;
> security_task_getsecid(current, _sig_sid);
> --
> 1.8.3.1
>



-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 11/40] ipv6/flowlabel: simplify pid namespace lookup

[Eric W. Biederman]

Christoph Hellwig  writes:

> On Thu, May 17, 2018 at 12:28:01AM -0500, Eric W. Biederman wrote:
>> > struct pid_namespace *proc_pid_namespace(struct inode *inode)
>> > {
>> >// maybe warn on for s_magic not on procfs??
>> >return inode->i_sb->s_fs_info;
>> > }
>> 
>> That should work.  Ideally out of line for the proc_fs.h version.
>> Basically it should be a cousin of PDE_DATA.
>
> The version in Al's tree is inline and without the warning as
> I didn't want to drag in the magic.h include.  Please look at it for
> additional comments, I can send incremental fixups if needed.

Sounds good.

Eric

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft 0/7] Python test fixes

[Florian Westphal]

Máté Eckl  wrote:
> This sereis of patches fix or supplement files related to python tests that I
> have met during my first test case.
> 
> Máté Eckl (7):
>   test: Specify python version in nft-test.py
>   test: Small typo fixes in the python tests README
>   test/py: Updated test file structure descripion in README
>   test: py: print_msg refactor
>   test: py: print path of the logfile
>   test: py: Added paylad file description to README
>   test: py: Make diff functions use print_* functions
> 
>  tests/py/README  | 51 +---
>  tests/py/nft-test.py | 31 +++
>  2 files changed, 55 insertions(+), 27 deletions(-)

Series applied, thank you.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH] nft.8: Document limitation of reject statement in bridge family

[Florian Westphal]

Phil Sutter  wrote:
> Bridge family allows reject statement in prerouting and input chains
> only. Users can't know without looking at kernel code.

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft 1/2] Introduce socket matching

[Florian Westphal]

Máté Eckl  wrote:
> +socket_stmt  :   SOCKET  EXISTS /* with the actual 
> implementation we cannot match abscence */

I think we should go for a native expression.

I'll leave it up to you what you'd like to do next.
There are a few options:
1. First go for TPROXY in nft (i.e. finish userspace syntax first)
2. add socket expression for nf_tables.
3. add support for SYNPROXY (outside of your original proposal,
   but this can be done via nft_compat without loss of functionality).

I think 1 or 2 would make most sense, let me know.

In case you go for #2, i would go for net/netfilter/nft_socket.c,
you'll need a way to serialize the socket_stmt data via new netlink
attributes.

You can look at 2fa841938c648fe4359691f41e8e1f37ff1a3aa2 for
a commit that added a new expression.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval

[Florian Westphal]

Taehee Yoo  wrote:
> In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg.
> But correct type is u8. so that sometimes incorrect value is dereferenced.

Acked-by: Florian Westphal 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nf-next] netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval

[Taehee Yoo]

In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg.
But correct type is u8. so that sometimes incorrect value is dereferenced.

Steps to reproduce:

   %nft add table ip filter
   %nft add chain ip filter input { type filter hook input priority 4\; }
   %nft add rule ip filter input nftrace set 0
   %nft monitor

Sometimes, we can see trace messages.

   trace id 16767227 ip filter input packet: iif "enp2s0"
   ether saddr xx:xx:xx:xx:xx:xx ether daddr xx:xx:xx:xx:xx:xx
   ip saddr 192.168.0.1 ip daddr 255.255.255.255 ip dscp cs0
   ip ecn not-ect ip
   trace id 16767227 ip filter input rule nftrace set 0 (verdict continue)
   trace id 16767227 ip filter input verdict continue
   trace id 16767227 ip filter input

Signed-off-by: Taehee Yoo 
---
 net/netfilter/nft_meta.c | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 5348bd0..1105a23 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -259,7 +259,7 @@ static void nft_meta_set_eval(const struct nft_expr *expr,
struct sk_buff *skb = pkt->skb;
u32 *sreg = >data[meta->sreg];
u32 value = *sreg;
-   u8 pkt_type;
+   u8 value8;
 
switch (meta->key) {
case NFT_META_MARK:
@@ -269,15 +269,17 @@ static void nft_meta_set_eval(const struct nft_expr *expr,
skb->priority = value;
break;
case NFT_META_PKTTYPE:
-   pkt_type = nft_reg_load8(sreg);
+   value8 = nft_reg_load8(sreg);
 
-   if (skb->pkt_type != pkt_type &&
-   skb_pkt_type_ok(pkt_type) &&
+   if (skb->pkt_type != value8 &&
+   skb_pkt_type_ok(value8) &&
skb_pkt_type_ok(skb->pkt_type))
-   skb->pkt_type = pkt_type;
+   skb->pkt_type = value8;
break;
case NFT_META_NFTRACE:
-   skb->nf_trace = !!value;
+   value8 = nft_reg_load8(sreg);
+
+   skb->nf_trace = !!value8;
break;
default:
WARN_ON(1);
-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft 1/2] Introduce socket matching

[Florian Westphal]

Máté Eckl  wrote:
> Originally I also added the following lines but it made the print too slow for
> the test to pass.
> 
> It printed the following warning:
>   inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket 
> exists': 'socket exists' mismatches 'socke'
>   inet/socket.t: WARNING: line 9: 'add rule ip sockip4 sockchain socket 
> flags transparent': 'socket flags transparent' mismatches 'socket'
> 
> To be honest I don't know what this criterion means so if it is important 
> please
> notify me.
> 
> diff --git a/src/statement.c b/src/statement.c
> index ff6a98a..ec3b0c0 100644
> --- a/src/statement.c
> +++ b/src/statement.c
> @@ -183,6 +183,10 @@ static void socket_stmt_print(const struct stmt *stmt, 
> struct output_ctx *octx)
>*existance_str = (s->exists) ? "exists" : "missing";
>  
>   nft_print(octx, "socket");
> +
> + if(octx->stateless)
> + return;

This test makes no sense, socket match has no state.

This is for 'nft -s' which e.g. prints 'counter' instead
of 'counter x packets y bytes'.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] netfilter: properly initialize xt_table_info structure

[Greg Kroah-Hartman]

On Thu, May 17, 2018 at 12:42:00PM +0200, Jan Engelhardt wrote:
> 
> On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote:
> >> > --- a/net/netfilter/x_tables.c
> >> > +++ b/net/netfilter/x_tables.c
> >> > @@ -1183,11 +1183,10 @@ struct xt_table_info 
> >> > *xt_alloc_table_info(unsigned int size)
> >> >   * than shoot all processes down before realizing there is 
> >> > nothing
> >> >   * more to reclaim.
> >> >   */
> >> > -info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY);
> >> > +info = kvzalloc(sz, GFP_KERNEL | __GFP_NORETRY);
> >> >  if (!info)
> >> >  return NULL;
> >>
> >> I am curious, what particular path does not later overwrite the whole zone 
> >> ?
> >
> >In do_ipt_get_ctl, the IPT_SO_GET_ENTRIES: option uses a len value that
> >can be larger than the size of the structure itself.
> >
> >Then the data is copied to userspace in copy_entries_to_user() for ipv4
> >and v6, and that's where the "bad data"
> 
> If the kernel incorrectly copies more bytes than it should, isn't that
> a sign that may be going going past the end of the info buffer?
> (And thus, zeroing won't truly fix the issue)

No, the buffer size is correct, we just aren't filling up the whole
buffer as the data requested is smaller than the buffer size.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH libmnl] examples: add arp cache dump example

[Laura Garcia Liebana]

Adding ARP example in order to dump the info in the form:

index= family= dst= lladdr= 
state=

Signed-off-by: Laura Garcia Liebana 
---
 examples/rtnl/Makefile.am |   6 +-
 examples/rtnl/rtnl-arp-dump.c | 161 ++
 2 files changed, 166 insertions(+), 1 deletion(-)
 create mode 100644 examples/rtnl/rtnl-arp-dump.c

diff --git a/examples/rtnl/Makefile.am b/examples/rtnl/Makefile.am
index 24769b6..e56365c 100644
--- a/examples/rtnl/Makefile.am
+++ b/examples/rtnl/Makefile.am
@@ -6,7 +6,8 @@ check_PROGRAMS = rtnl-addr-dump \
 rtnl-link-set \
 rtnl-route-add \
 rtnl-route-dump \
-rtnl-route-event
+rtnl-route-event \
+rtnl-arp-dump
 
 rtnl_addr_dump_SOURCES = rtnl-addr-dump.c
 rtnl_addr_dump_LDADD = ../../src/libmnl.la
@@ -34,3 +35,6 @@ rtnl_route_dump_LDADD = ../../src/libmnl.la
 
 rtnl_route_event_SOURCES = rtnl-route-event.c
 rtnl_route_event_LDADD = ../../src/libmnl.la
+
+rtnl_arp_dump_SOURCES = rtnl-arp-dump.c
+rtnl_arp_dump_LDADD = ../../src/libmnl.la
diff --git a/examples/rtnl/rtnl-arp-dump.c b/examples/rtnl/rtnl-arp-dump.c
new file mode 100644
index 000..fc0f205
--- /dev/null
+++ b/examples/rtnl/rtnl-arp-dump.c
@@ -0,0 +1,161 @@
+/* This example is placed in the public domain. */
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+
+static int data_attr_cb(const struct nlattr *attr, void *data)
+{
+   const struct nlattr **tb = data;
+   int type = mnl_attr_get_type(attr);
+
+   /* skip unsupported attribute in user-space */
+   if (mnl_attr_type_valid(attr, IFA_MAX) < 0)
+   return MNL_CB_OK;
+
+   switch(type) {
+   case NDA_DST:
+   if (mnl_attr_validate(attr, MNL_TYPE_BINARY) < 0) {
+   perror("mnl_attr_validate");
+   return MNL_CB_ERROR;
+   }
+   break;
+   case NDA_LLADDR:
+   if (mnl_attr_validate(attr, MNL_TYPE_BINARY) < 0) {
+   perror("mnl_attr_validate");
+   return MNL_CB_ERROR;
+   }
+   break;
+   }
+   tb[type] = attr;
+   return MNL_CB_OK;
+}
+
+static int data_cb(const struct nlmsghdr *nlh, void *data)
+{
+   struct nlattr *tb[IFA_MAX + 1] = {};
+   struct ndmsg *ndm = mnl_nlmsg_get_payload(nlh);
+
+   printf("index=%d family=%d ", ndm->ndm_ifindex, ndm->ndm_family);
+
+   mnl_attr_parse(nlh, sizeof(*ndm), data_attr_cb, tb);
+   printf("dst=");
+   if (tb[NDA_DST]) {
+   void *addr = mnl_attr_get_payload(tb[NDA_DST]);
+   char out[INET6_ADDRSTRLEN];
+
+   if (inet_ntop(ndm->ndm_family, addr, out, sizeof(out)))
+   printf("%s ", out);
+   }
+
+   mnl_attr_parse(nlh, sizeof(*ndm), data_attr_cb, tb);
+   printf("lladdr=");
+   if (tb[NDA_LLADDR]) {
+   void *addr = mnl_attr_get_payload(tb[NDA_LLADDR]);
+   unsigned char lladdr[6] = {0};
+
+   if (memcpy(, addr, 6))
+   printf("%02x:%02x:%02x:%02x:%02x:%02x ", lladdr[0], 
lladdr[1], lladdr[2], lladdr[3], lladdr[4], lladdr[5]);
+   }
+
+   printf("state=");
+   switch(ndm->ndm_state) {
+   case NUD_INCOMPLETE:
+   printf("incomplete ");
+   break;
+   case NUD_REACHABLE:
+   printf("reachable ");
+   break;
+   case NUD_STALE:
+   printf("stale ");
+   break;
+   case NUD_DELAY:
+   printf("delay ");
+   break;
+   case NUD_PROBE:
+   printf("probe ");
+   break;
+   case NUD_FAILED:
+   printf("failed ");
+   break;
+   case NUD_NOARP:
+   printf("noarp ");
+   break;
+   case NUD_PERMANENT:
+   printf("permanent ");
+   break;
+   default:
+   printf("%d ", ndm->ndm_state);
+   break;
+   }
+
+   printf("\n");
+   return MNL_CB_OK;
+}
+
+int main(int argc, char *argv[])
+{
+   struct mnl_socket *nl;
+   char buf[MNL_SOCKET_BUFFER_SIZE];
+   struct nlmsghdr *nlh;
+   struct rtgenmsg *rt;
+   int ret;
+   unsigned int seq, portid;
+
+   if (argc != 2) {
+   fprintf(stderr, "Usage: %s \n", argv[0]);
+   exit(EXIT_FAILURE);
+   }
+
+   nlh = mnl_nlmsg_put_header(buf);
+   nlh->nlmsg_type = RTM_GETNEIGH;
+   nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
+   nlh->nlmsg_seq = seq = time(NULL);
+
+   rt = mnl_nlmsg_put_extra_header(nlh, sizeof(struct rtgenmsg));
+   if (strcmp(argv[1], "inet") == 0)
+   rt->rtgen_family = AF_INET;
+   else if (strcmp(argv[1], "inet6") == 0)
+   

Re: [PATCH nf-next 0/2] netfilter: nft map lookups support for number generator expressions

[Pablo Neira Ayuso]

On Fri, May 11, 2018 at 12:13:26AM +0200, Laura Garcia Liebana wrote:
> The following patches complete the implementation of map lookups
> using as a key the given number generator like incremental, random or
> the different hash algorithms supported. This is useful for load
> balancing use cases but also for dynamic map lookups using these
> expressions.

Series applied, thanks Laura.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] netfilter: fix fallout from xt/nf osf separation

[Pablo Neira Ayuso]

On Tue, May 08, 2018 at 10:05:38AM +0200, Florian Westphal wrote:
> Stephen Rothwell says:
>   today's linux-next build (x86_64 allmodconfig) produced this warning:
>   ./usr/include/linux/netfilter/nf_osf.h:25: found __[us]{8,16,32,64} type 
> without #include 
> 
> Fix that up and also move kernel-private struct out of uapi (it was not
> exposed in any released kernel version).
> 
> tested via allmodconfig build + make headers_check.

Applied, thanks Florian.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] netfilter: nf_tables: remove old nf_log based tracing

[Pablo Neira Ayuso]

On Fri, May 11, 2018 at 09:55:39PM +0200, Florian Westphal wrote:
> nfnetlink tracing is available since nft 0.6 (June 2016).
> Remove old nf_log based tracing to avoid rule counter in main loop.

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nf-next,v3 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

[Pablo Neira Ayuso]

In nfqueue, two consecutive skbuffs may race to create the conntrack
entry. Hence, the one that loses the race gets dropped due to clash in
the insertion into the hashes from the nf_conntrack_confirm() path.

This patch adds a new nf_conntrack_update() function which searches for
possible clashes and resolve them. NAT mangling for the packet losing
race is corrected by using the conntrack information that won race.

In order to avoid direct module dependencies with conntrack and NAT, the
nf_ct_hook and nf_nat_hook structures are used for this purpose.

Signed-off-by: Pablo Neira Ayuso 
---
v3: move nf_ct_get() and nf_ct_is_confirmed() symbols to nf_conntrack_core.c
to address kbuild robot reports.

 include/linux/netfilter.h |  5 +++
 net/netfilter/nf_conntrack_core.c | 77 +++
 net/netfilter/nf_nat_core.c   | 41 +
 net/netfilter/nfnetlink_queue.c   | 28 --
 4 files changed, 132 insertions(+), 19 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index e0080c04d309..58660a7af928 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -325,11 +325,15 @@ int nf_reroute(struct sk_buff *skb, struct nf_queue_entry 
*entry);
 struct nf_conn;
 enum nf_nat_manip_type;
 struct nlattr;
+enum ip_conntrack_dir;
 
 struct nf_nat_hook {
int (*parse_nat_setup)(struct nf_conn *ct, enum nf_nat_manip_type manip,
   const struct nlattr *attr);
void (*decode_session)(struct sk_buff *skb, struct flowi *fl);
+   unsigned int (*manip_pkt)(struct sk_buff *skb, struct nf_conn *ct,
+ enum nf_nat_manip_type mtype,
+ enum ip_conntrack_dir dir);
 };
 
 extern struct nf_nat_hook __rcu *nf_nat_hook;
@@ -393,6 +397,7 @@ struct nf_conn;
 enum ip_conntrack_info;
 
 struct nf_ct_hook {
+   int (*update)(struct net *net, struct sk_buff *skb);
void (*destroy)(struct nf_conntrack *);
 };
 extern struct nf_ct_hook __rcu *nf_ct_hook;
diff --git a/net/netfilter/nf_conntrack_core.c 
b/net/netfilter/nf_conntrack_core.c
index 8d109d750073..946b28610162 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1607,6 +1607,82 @@ static void nf_conntrack_attach(struct sk_buff *nskb, 
const struct sk_buff *skb)
nf_conntrack_get(skb_nfct(nskb));
 }
 
+static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
+{
+   const struct nf_conntrack_l3proto *l3proto;
+   const struct nf_conntrack_l4proto *l4proto;
+   struct nf_conntrack_tuple_hash *h;
+   struct nf_conntrack_tuple tuple;
+   enum ip_conntrack_info ctinfo;
+   struct nf_nat_hook *nat_hook;
+   unsigned int dataoff, status;
+   struct nf_conn *ct;
+   u16 l3num;
+   u8 l4num;
+
+   ct = nf_ct_get(skb, );
+   if (!ct || nf_ct_is_confirmed(ct))
+   return 0;
+
+   l3num = nf_ct_l3num(ct);
+   l3proto = nf_ct_l3proto_find_get(l3num);
+
+   if (l3proto->get_l4proto(skb, skb_network_offset(skb), ,
+) <= 0)
+   return -1;
+
+   l4proto = nf_ct_l4proto_find_get(l3num, l4num);
+
+   if (!nf_ct_get_tuple(skb, skb_network_offset(skb), dataoff, l3num,
+l4num, net, , l3proto, l4proto))
+   return -1;
+
+   if (ct->status & IPS_SRC_NAT) {
+   memcpy(tuple.src.u3.all,
+  ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.all,
+  sizeof(tuple.src.u3.all));
+   tuple.src.u.all =
+   ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.all;
+   }
+
+   if (ct->status & IPS_DST_NAT) {
+   memcpy(tuple.dst.u3.all,
+  ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.all,
+  sizeof(tuple.dst.u3.all));
+   tuple.dst.u.all =
+   ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.all;
+   }
+
+   h = nf_conntrack_find_get(net, >zone, );
+   if (!h)
+   return 0;
+
+   /* Store status bits of the conntrack that is clashing to re-do NAT
+* mangling according to what it has been done already to this packet.
+*/
+   status = ct->status;
+
+   nf_ct_put(ct);
+   ct = nf_ct_tuplehash_to_ctrack(h);
+   nf_ct_set(skb, ct, ctinfo);
+
+   nat_hook = rcu_dereference(nf_nat_hook);
+   if (!nat_hook)
+   return 0;
+
+   if (status & IPS_SRC_NAT &&
+   nat_hook->manip_pkt(skb, ct, NF_NAT_MANIP_SRC,
+   IP_CT_DIR_ORIGINAL) == NF_DROP)
+   return -1;
+
+   if (status & IPS_DST_NAT &&
+   nat_hook->manip_pkt(skb, ct, NF_NAT_MANIP_DST,
+   IP_CT_DIR_ORIGINAL) == NF_DROP)
+   return -1;
+
+   return 0;
+}
+
 /* 

[PATCH nf-next,v3 1/3] netfilter: add struct nf_ct_hook and use it

[Pablo Neira Ayuso]

Move the nf_ct_destroy indirection to the struct nf_ct_hook.

Signed-off-by: Pablo Neira Ayuso 
---
v3: no changes

 include/linux/netfilter.h |  7 ++-
 net/netfilter/core.c  | 14 +++---
 net/netfilter/nf_conntrack_core.c |  9 ++---
 3 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 85a1a0b32c66..9991a286d9b1 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -374,13 +374,18 @@ nf_nat_decode_session(struct sk_buff *skb, struct flowi 
*fl, u_int8_t family)
 
 extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu;
 void nf_ct_attach(struct sk_buff *, const struct sk_buff *);
-extern void (*nf_ct_destroy)(struct nf_conntrack *) __rcu;
 #else
 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
 #endif
 
 struct nf_conn;
 enum ip_conntrack_info;
+
+struct nf_ct_hook {
+   void (*destroy)(struct nf_conntrack *);
+};
+extern struct nf_ct_hook __rcu *nf_ct_hook;
+
 struct nlattr;
 
 struct nfnl_ct_hook {
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 0f6b8172fb9a..cec1c0585949 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -543,6 +543,9 @@ void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff 
*)
__rcu __read_mostly;
 EXPORT_SYMBOL(ip_ct_attach);
 
+struct nf_ct_hook __rcu *nf_ct_hook __read_mostly;
+EXPORT_SYMBOL_GPL(nf_ct_hook);
+
 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb)
 {
void (*attach)(struct sk_buff *, const struct sk_buff *);
@@ -557,17 +560,14 @@ void nf_ct_attach(struct sk_buff *new, const struct 
sk_buff *skb)
 }
 EXPORT_SYMBOL(nf_ct_attach);
 
-void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly;
-EXPORT_SYMBOL(nf_ct_destroy);
-
 void nf_conntrack_destroy(struct nf_conntrack *nfct)
 {
-   void (*destroy)(struct nf_conntrack *);
+   struct nf_ct_hook *ct_hook;
 
rcu_read_lock();
-   destroy = rcu_dereference(nf_ct_destroy);
-   BUG_ON(destroy == NULL);
-   destroy(nfct);
+   ct_hook = rcu_dereference(nf_ct_hook);
+   BUG_ON(ct_hook == NULL);
+   ct_hook->destroy(nfct);
rcu_read_unlock();
 }
 EXPORT_SYMBOL(nf_conntrack_destroy);
diff --git a/net/netfilter/nf_conntrack_core.c 
b/net/netfilter/nf_conntrack_core.c
index 605441727008..8b2a8644d955 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1813,8 +1813,7 @@ void nf_conntrack_cleanup_start(void)
 
 void nf_conntrack_cleanup_end(void)
 {
-   RCU_INIT_POINTER(nf_ct_destroy, NULL);
-
+   RCU_INIT_POINTER(nf_ct_hook, NULL);
cancel_delayed_work_sync(_gc_work.dwork);
nf_ct_free_hashtable(nf_conntrack_hash, nf_conntrack_htable_size);
 
@@ -2131,11 +2130,15 @@ int nf_conntrack_init_start(void)
return ret;
 }
 
+static struct nf_ct_hook nf_conntrack_hook = {
+   .destroy= destroy_conntrack,
+};
+
 void nf_conntrack_init_end(void)
 {
/* For use by REJECT target */
RCU_INIT_POINTER(ip_ct_attach, nf_conntrack_attach);
-   RCU_INIT_POINTER(nf_ct_destroy, destroy_conntrack);
+   RCU_INIT_POINTER(nf_ct_hook, _conntrack_hook);
 }
 
 /*
-- 
2.11.0


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nf-next,v3 2/3] netfilter: add struct nf_nat_hook and use it

[Pablo Neira Ayuso]

Move decode_session() and parse_nat_setup_hook() indirections to struct
nf_nat_hook structure.

Signed-off-by: Pablo Neira Ayuso 
---
v3: Move nf_nat_hook definition to linux/netfilter.h to address kbuild robot
reports.

 include/linux/netfilter.h| 21 -
 include/net/netfilter/nf_nat_core.h  |  7 ---
 net/netfilter/core.c |  8 +++-
 net/netfilter/nf_conntrack_core.c|  5 -
 net/netfilter/nf_conntrack_netlink.c | 10 +-
 net/netfilter/nf_nat_core.c  | 23 ---
 6 files changed, 36 insertions(+), 38 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 9991a286d9b1..e0080c04d309 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -321,18 +321,29 @@ int nf_route(struct net *net, struct dst_entry **dst, 
struct flowi *fl,
 int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry);
 
 #include 
-extern void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
+
+struct nf_conn;
+enum nf_nat_manip_type;
+struct nlattr;
+
+struct nf_nat_hook {
+   int (*parse_nat_setup)(struct nf_conn *ct, enum nf_nat_manip_type manip,
+  const struct nlattr *attr);
+   void (*decode_session)(struct sk_buff *skb, struct flowi *fl);
+};
+
+extern struct nf_nat_hook __rcu *nf_nat_hook;
 
 static inline void
 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
 {
 #ifdef CONFIG_NF_NAT_NEEDED
-   void (*decodefn)(struct sk_buff *, struct flowi *);
+   struct nf_nat_hook *nat_hook;
 
rcu_read_lock();
-   decodefn = rcu_dereference(nf_nat_decode_session_hook);
-   if (decodefn)
-   decodefn(skb, fl);
+   nat_hook = rcu_dereference(nf_nat_hook);
+   if (nat_hook->decode_session)
+   nat_hook->decode_session(skb, fl);
rcu_read_unlock();
 #endif
 }
diff --git a/include/net/netfilter/nf_nat_core.h 
b/include/net/netfilter/nf_nat_core.h
index 235bd0e9a5aa..0654589c271e 100644
--- a/include/net/netfilter/nf_nat_core.h
+++ b/include/net/netfilter/nf_nat_core.h
@@ -22,11 +22,4 @@ static inline int nf_nat_initialized(struct nf_conn *ct,
return ct->status & IPS_DST_NAT_DONE;
 }
 
-struct nlattr;
-
-extern int
-(*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
- enum nf_nat_manip_type manip,
- const struct nlattr *attr);
-
 #endif /* _NF_NAT_CORE_H */
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index cec1c0585949..8f917449b3be 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -546,6 +546,9 @@ EXPORT_SYMBOL(ip_ct_attach);
 struct nf_ct_hook __rcu *nf_ct_hook __read_mostly;
 EXPORT_SYMBOL_GPL(nf_ct_hook);
 
+struct nf_nat_hook __rcu *nf_nat_hook __read_mostly;
+EXPORT_SYMBOL_GPL(nf_nat_hook);
+
 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb)
 {
void (*attach)(struct sk_buff *, const struct sk_buff *);
@@ -580,11 +583,6 @@ const struct nf_conntrack_zone nf_ct_zone_dflt = {
 EXPORT_SYMBOL_GPL(nf_ct_zone_dflt);
 #endif /* CONFIG_NF_CONNTRACK */
 
-#ifdef CONFIG_NF_NAT_NEEDED
-void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
-EXPORT_SYMBOL(nf_nat_decode_session_hook);
-#endif
-
 static void __net_init __netfilter_net_init(struct nf_hook_entries **e, int 
max)
 {
int h;
diff --git a/net/netfilter/nf_conntrack_core.c 
b/net/netfilter/nf_conntrack_core.c
index 8b2a8644d955..8d109d750073 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -58,11 +58,6 @@
 
 #include "nf_internals.h"
 
-int (*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
- enum nf_nat_manip_type manip,
- const struct nlattr *attr) __read_mostly;
-EXPORT_SYMBOL_GPL(nfnetlink_parse_nat_setup_hook);
-
 __cacheline_aligned_in_smp spinlock_t nf_conntrack_locks[CONNTRACK_LOCKS];
 EXPORT_SYMBOL_GPL(nf_conntrack_locks);
 
diff --git a/net/netfilter/nf_conntrack_netlink.c 
b/net/netfilter/nf_conntrack_netlink.c
index d807b8770be3..39327a42879f 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1431,11 +1431,11 @@ ctnetlink_parse_nat_setup(struct nf_conn *ct,
  enum nf_nat_manip_type manip,
  const struct nlattr *attr)
 {
-   typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;
+   struct nf_nat_hook *nat_hook;
int err;
 
-   parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook);
-   if (!parse_nat_setup) {
+   nat_hook = rcu_dereference(nf_nat_hook);
+   if (!nat_hook) {
 #ifdef CONFIG_MODULES
rcu_read_unlock();
nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
@@ -1446,13 +1446,13 @@ ctnetlink_parse_nat_setup(struct nf_conn *ct,
}
   

Re: [PATCH nf] netfilter: nf_tables: fix NULL pointer dereference on nft_ct_helper_obj_dump()

[Pablo Neira Ayuso]

On Wed, May 16, 2018 at 04:21:05PM +0200, Florian Westphal wrote:
> Taehee Yoo  wrote:
> > In the nft_ct_helper_obj_dump(), always priv->helper4 is dereferenced.
> > But if family is ipv6, priv->helper6 should be dereferenced.
> > 
> > Steps to reproduces:
> > 
> >#test.nft
> >table ip6 filter {
> >ct helper ftp {
> >type "ftp" protocol tcp
> >}
> >chain input {
> >type filter hook input priority 4;
> >ct helper set "ftp"
> >}
> >}
> 
> Acked-by: Florian Westphal 

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] netfilter: properly initialize xt_table_info structure

[Jan Engelhardt]

On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote:
>> > --- a/net/netfilter/x_tables.c
>> > +++ b/net/netfilter/x_tables.c
>> > @@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned 
>> > int size)
>> > * than shoot all processes down before realizing there is nothing
>> > * more to reclaim.
>> > */
>> > -  info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY);
>> > +  info = kvzalloc(sz, GFP_KERNEL | __GFP_NORETRY);
>> >if (!info)
>> >return NULL;
>>
>> I am curious, what particular path does not later overwrite the whole zone ?
>
>In do_ipt_get_ctl, the IPT_SO_GET_ENTRIES: option uses a len value that
>can be larger than the size of the structure itself.
>
>Then the data is copied to userspace in copy_entries_to_user() for ipv4
>and v6, and that's where the "bad data"

If the kernel incorrectly copies more bytes than it should, isn't that
a sign that may be going going past the end of the info buffer?
(And thus, zeroing won't truly fix the issue)

And if the kernel copies too few (because it just does not have more
data than userspace is requesting), what remains in the user buffer
is the garbage that originally was there.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] netfilter: properly initialize xt_table_info structure

[Greg Kroah-Hartman]

On Thu, May 17, 2018 at 02:55:42AM -0700, Eric Dumazet wrote:
> 
> 
> On 05/17/2018 02:34 AM, Greg Kroah-Hartman wrote:
> > When allocating a xt_table_info structure, we should be clearing out the
> > full amount of memory that was allocated, not just the "header" of the
> > structure.  Otherwise odd values could be passed to userspace, which is
> > not a good thing.
> > 
> > Cc: stable 
> > Signed-off-by: Greg Kroah-Hartman 
> > ---
> > v2: use kvzalloc instead of kvmalloc/memset pair, as suggested by Michal 
> > Kubecek
> > 
> >  net/netfilter/x_tables.c | 3 +--
> >  1 file changed, 1 insertion(+), 2 deletions(-)
> > 
> > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> > index cb7cb300c3bc..cd22bb9b66f3 100644
> > --- a/net/netfilter/x_tables.c
> > +++ b/net/netfilter/x_tables.c
> > @@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned 
> > int size)
> >  * than shoot all processes down before realizing there is nothing
> >  * more to reclaim.
> >  */
> > -   info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY);
> > +   info = kvzalloc(sz, GFP_KERNEL | __GFP_NORETRY);
> > if (!info)
> > return NULL;
> >  
> > -   memset(info, 0, sizeof(*info));
> > info->size = size;
> > return info;
> >  }
> > 
> 
> I am curious, what particular path does not later overwrite the whole zone ?

The path back was long, adding Greg Hackman who helped to debug this to
the To: to confirm that I got this correct...

In do_ipt_get_ctl, the IPT_SO_GET_ENTRIES: option uses a len value that
can be larger than the size of the structure itself.

Then the data is copied to userspace in copy_entries_to_user() for ipv4
and v6, and that's where the "bad data" was noticed (a researcher was
using a kernel patch to determine what the data was)

Greg, that's the correct path here, right?

> Do not get me wrong, this is not fast path, but these blobs can be huge.

Yeah, I bet, but for "normal" cases the size should be small and all
should be fine.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] netfilter: properly initialize xt_table_info structure

[Eric Dumazet]

On 05/17/2018 02:34 AM, Greg Kroah-Hartman wrote:
> When allocating a xt_table_info structure, we should be clearing out the
> full amount of memory that was allocated, not just the "header" of the
> structure.  Otherwise odd values could be passed to userspace, which is
> not a good thing.
> 
> Cc: stable 
> Signed-off-by: Greg Kroah-Hartman 
> ---
> v2: use kvzalloc instead of kvmalloc/memset pair, as suggested by Michal 
> Kubecek
> 
>  net/netfilter/x_tables.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index cb7cb300c3bc..cd22bb9b66f3 100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned 
> int size)
>* than shoot all processes down before realizing there is nothing
>* more to reclaim.
>*/
> - info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY);
> + info = kvzalloc(sz, GFP_KERNEL | __GFP_NORETRY);
>   if (!info)
>   return NULL;
>  
> - memset(info, 0, sizeof(*info));
>   info->size = size;
>   return info;
>  }
> 

I am curious, what particular path does not later overwrite the whole zone ?

Do not get me wrong, this is not fast path, but these blobs can be huge.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2] netfilter: properly initialize xt_table_info structure

[Greg Kroah-Hartman]

When allocating a xt_table_info structure, we should be clearing out the
full amount of memory that was allocated, not just the "header" of the
structure.  Otherwise odd values could be passed to userspace, which is
not a good thing.

Cc: stable 
Signed-off-by: Greg Kroah-Hartman 
---
v2: use kvzalloc instead of kvmalloc/memset pair, as suggested by Michal Kubecek

 net/netfilter/x_tables.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index cb7cb300c3bc..cd22bb9b66f3 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned int 
size)
 * than shoot all processes down before realizing there is nothing
 * more to reclaim.
 */
-   info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY);
+   info = kvzalloc(sz, GFP_KERNEL | __GFP_NORETRY);
if (!info)
return NULL;
 
-   memset(info, 0, sizeof(*info));
info->size = size;
return info;
 }
-- 
2.17.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: properly initialize xt_table_info structure

[Greg Kroah-Hartman]

On Thu, May 17, 2018 at 10:59:51AM +0200, Michal Kubecek wrote:
> On Thu, May 17, 2018 at 10:44:42AM +0200, Greg Kroah-Hartman wrote:
> > When allocating a xt_table_info structure, we should be clearing out the
> > full amount of memory that was allocated, not just the "header" of the
> > structure.  Otherwise odd values could be passed to userspace, which is
> > not a good thing.
> > 
> > Cc: stable 
> > Signed-off-by: Greg Kroah-Hartman 
> > ---
> >  net/netfilter/x_tables.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> > index cb7cb300c3bc..a300e8252bb6 100644
> > --- a/net/netfilter/x_tables.c
> > +++ b/net/netfilter/x_tables.c
> > @@ -1187,7 +1187,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned 
> > int size)
> > if (!info)
> > return NULL;
> >  
> > -   memset(info, 0, sizeof(*info));
> > +   memset(info, 0, sz);
> > info->size = size;
> > return info;
> >  }
> > -- 
> > 2.17.0
> > 
> 
> Or we can replace kvmalloc() by kvzalloc() and remove the memset().

That works for me too, either is sufficient to solve the problem.

Let me go respin this, less lines of code is always better :)

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: properly initialize xt_table_info structure

[Michal Kubecek]

On Thu, May 17, 2018 at 10:44:42AM +0200, Greg Kroah-Hartman wrote:
> When allocating a xt_table_info structure, we should be clearing out the
> full amount of memory that was allocated, not just the "header" of the
> structure.  Otherwise odd values could be passed to userspace, which is
> not a good thing.
> 
> Cc: stable 
> Signed-off-by: Greg Kroah-Hartman 
> ---
>  net/netfilter/x_tables.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index cb7cb300c3bc..a300e8252bb6 100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -1187,7 +1187,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int 
> size)
>   if (!info)
>   return NULL;
>  
> - memset(info, 0, sizeof(*info));
> + memset(info, 0, sz);
>   info->size = size;
>   return info;
>  }
> -- 
> 2.17.0
> 

Or we can replace kvmalloc() by kvzalloc() and remove the memset().

Michal Kubecek
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] netfilter: properly initialize xt_table_info structure

[Greg Kroah-Hartman]

When allocating a xt_table_info structure, we should be clearing out the
full amount of memory that was allocated, not just the "header" of the
structure.  Otherwise odd values could be passed to userspace, which is
not a good thing.

Cc: stable 
Signed-off-by: Greg Kroah-Hartman 
---
 net/netfilter/x_tables.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index cb7cb300c3bc..a300e8252bb6 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1187,7 +1187,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int 
size)
if (!info)
return NULL;
 
-   memset(info, 0, sizeof(*info));
+   memset(info, 0, sz);
info->size = size;
return info;
 }
-- 
2.17.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft 1/2] Introduce socket matching

[Máté Eckl]

Originally I also added the following lines but it made the print too slow for
the test to pass.

It printed the following warning:
inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket 
exists': 'socket exists' mismatches 'socke'
inet/socket.t: WARNING: line 9: 'add rule ip sockip4 sockchain socket 
flags transparent': 'socket flags transparent' mismatches 'socket'

To be honest I don't know what this criterion means so if it is important please
notify me.

diff --git a/src/statement.c b/src/statement.c
index ff6a98a..ec3b0c0 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -183,6 +183,10 @@ static void socket_stmt_print(const struct stmt *stmt, 
struct output_ctx *octx)
 *existance_str = (s->exists) ? "exists" : "missing";
 
nft_print(octx, "socket");
+
+   if(octx->stateless)
+   return;
+
if (s->flags) {
__u8 f = s->flags;
 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 5/7] test: py: print path of the logfile

[Máté Eckl]

It is good to know that a log is generated even without browsing the
nft-test.py source code.

Also print_info function is introduced.

Signed-off-by: Máté Eckl 
---
 tests/py/README  | 2 ++
 tests/py/nft-test.py | 5 -
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/tests/py/README b/tests/py/README
index a156032..0e12dfa 100644
--- a/tests/py/README
+++ b/tests/py/README
@@ -132,6 +132,8 @@ E) Meaning of messages:
 * A warning message means the rule input and output of nft mismatches.
 * An error message means the nft-tool shows an error when we add it or
   the listing is broken after the rule is added.
+* An info message means something that is not necessarily related to any test
+  case and does not indicate faulty behaviour.
 
 F) Acknowledgements
 
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index 2be4700..b536e9c 100755
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -124,6 +124,8 @@ def print_error(reason, filename=None, lineno=None):
 def print_warning(reason, filename=None, lineno=None):
 print_msg(reason, "WARNING:", filename, lineno, Colors.YELLOW)
 
+def print_info(reason, filename=None, lineno=None):
+print_msg(reason, "INFO:", filename, lineno, Colors.GREEN)
 
 def color_differences(rule, other, color):
 rlen = len(rule)
@@ -1350,8 +1352,9 @@ def main():
 global log_file
 try:
 log_file = open(LOGFILE, 'w')
+print_info("Log will be available at %s" % LOGFILE)
 except IOError:
-print "Cannot open log file %s" % LOGFILE
+print_error("Cannot open log file %s" % LOGFILE)
 return
 
 file_list = []
-- 
ecklm

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 0/7] Python test fixes

[Máté Eckl]

This sereis of patches fix or supplement files related to python tests that I
have met during my first test case.

Máté Eckl (7):
  test: Specify python version in nft-test.py
  test: Small typo fixes in the python tests README
  test/py: Updated test file structure descripion in README
  test: py: print_msg refactor
  test: py: print path of the logfile
  test: py: Added paylad file description to README
  test: py: Make diff functions use print_* functions

 tests/py/README  | 51 +---
 tests/py/nft-test.py | 31 +++
 2 files changed, 55 insertions(+), 27 deletions(-)

-- 
ecklm

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 1/2] Introduce socket matching

[Máté Eckl]

Socket matching is achieved using the nft_compat interface.

The list of known limitations of the current implementation are:

* The absence of a corresponding socket cannot be matched (`socket
  missing`).
* Only transparent socket flag can be matched, nowildcard is not a flag,
  it should be matched with a different expression if desired. Other
  options that can be set with `setsockopt` are unavailable.
* Such a rule cannot be added to an `inet` table.

In the long term native implementation might be worth it.

Example:

table ip stable {
chain tchain {
type filter hook prerouting priority -150; policy accept;
socket flags transparent counter packets 12 bytes 608 mark set 
0x0001 accept
socket exists counter packets 52 bytes 3316
}
}
table ip6 stable {
chain tchain {
type filter hook prerouting priority -150; policy accept;
socket flags transparent counter packets 0 bytes 0 mark set 
0x0001 accept
socket exists counter packets 0 bytes 0
}
}

Signed-off-by: Máté Eckl 
---
 include/linux/netfilter/nf_tables.h |  4 
 include/statement.h | 10 +
 include/xt.h|  4 ++--
 src/evaluate.c  | 11 ++
 src/netlink_delinearize.c   | 19 
 src/netlink_linearize.c | 21 ++
 src/parser_bison.y  | 31 --
 src/scanner.l   |  3 +++
 src/statement.c | 34 +
 src/xt.c|  2 +-
 10 files changed, 134 insertions(+), 5 deletions(-)

diff --git a/include/linux/netfilter/nf_tables.h 
b/include/linux/netfilter/nf_tables.h
index 3395faf..31fd6f4 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1284,6 +1284,10 @@ enum nft_fib_flags {
NFTA_FIB_F_PRESENT  = 1 << 5,   /* check existence only */
 };
 
+enum nft_socket_flags {
+   NFTA_SOCKET_TRANSPARENT = (1<<0),
+};
+
 enum nft_ct_helper_attributes {
NFTA_CT_HELPER_UNSPEC,
NFTA_CT_HELPER_NAME,
diff --git a/include/statement.h b/include/statement.h
index de26549..84a8f3f 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -32,6 +32,13 @@ struct counter_stmt {
 
 extern struct stmt *counter_stmt_alloc(const struct location *loc);
 
+struct socket_stmt {
+   bool exists;
+   __u8 flags;
+};
+
+extern struct stmt *socket_stmt_alloc(const struct location *loc, bool exists, 
__u8 flags);
+
 struct exthdr_stmt {
struct expr *expr;
struct expr *val;
@@ -248,6 +255,7 @@ extern struct stmt *xt_stmt_alloc(const struct location 
*loc);
  * @STMT_EXTHDR:   extension header statement
  * @STMT_FLOW_OFFLOAD: flow offload statement
  * @STMT_MAP:  map statement
+ * @STMT_SOCKET:   socket statement
  */
 enum stmt_types {
STMT_INVALID,
@@ -273,6 +281,7 @@ enum stmt_types {
STMT_EXTHDR,
STMT_FLOW_OFFLOAD,
STMT_MAP,
+   STMT_SOCKET,
 };
 
 /**
@@ -335,6 +344,7 @@ struct stmt {
struct objref_stmt  objref;
struct flow_stmtflow;
struct map_stmt map;
+   struct socket_stmt  socket;
};
 };
 
diff --git a/include/xt.h b/include/xt.h
index 753511e..5b29522 100644
--- a/include/xt.h
+++ b/include/xt.h
@@ -14,7 +14,7 @@ void xt_stmt_release(const struct stmt *stmt);
 void netlink_parse_target(struct netlink_parse_ctx *ctx,
  const struct location *loc,
  const struct nftnl_expr *nle);
-void netlink_parse_match(struct netlink_parse_ctx *ctx,
+void xt_netlink_parse_match(struct netlink_parse_ctx *ctx,
 const struct location *loc,
 const struct nftnl_expr *nle);
 void stmt_xt_postprocess(struct rule_pp_ctx *rctx, struct stmt *stmt,
@@ -28,7 +28,7 @@ static inline void xt_stmt_release(const struct stmt *stmt) {}
 static inline void netlink_parse_target(struct netlink_parse_ctx *ctx,
const struct location *loc,
const struct nftnl_expr *nle) {}
-static inline void netlink_parse_match(struct netlink_parse_ctx *ctx,
+static inline void xt_netlink_parse_match(struct netlink_parse_ctx *ctx,
   const struct location *loc,
   const struct nftnl_expr *nle) {}
 static inline void stmt_xt_postprocess(struct rule_pp_ctx *rctx,
diff --git a/src/evaluate.c b/src/evaluate.c
index 4eb36e2..5222f4e 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2686,6 +2686,15 @@ static int stmt_evaluate_objref(struct eval_ctx *ctx, 
struct stmt *stmt)
return 0;
 }
 
+static int 

[PATCH nft 3/7] test/py: Updated test file structure descripion in README

[Máté Eckl]

The order of the table and chain definitions have changed in test files.
Now the name of the chain has to be specified in the definition of the
table, so their order is reverted.

Signed-off-by: Máté Eckl 
---
 tests/py/README | 18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/tests/py/README b/tests/py/README
index 005fe8e..a156032 100644
--- a/tests/py/README
+++ b/tests/py/README
@@ -64,11 +64,11 @@ A test file contains a set of rules that are added in the 
system.
 
 Here, an example of a test file:
 
-   *ip;test-ipv4   # line 1
-   *ip6;test-ipv6  # line 2
-   *inet;test-inet # line 3
+   :input;type filter hook input priority 0# line 1
 
-   :input;type filter hook input priority 0# line 4
+   *ip;test-ipv4;input # line 2
+   *ip6;test-ipv6;input# line 3
+   *inet;test-inet;input   # line 4
 
ah hdrlength != 11-23;ok;ah hdrlength < 11 ah hdrlength > 23   # line 5
- tcp dport != {22-25} # line 6
@@ -77,12 +77,12 @@ Here, an example of a test file:
?set1 192.168.3.8 192.168.3.9;ok# line 8
# This is a commented-line. # line 9
 
-Line 1 defines a table. The name of the table is 'test-ipv4' and the
-family is ip. Lines 2 and 3 defines more tables for different families
-so the rules in this test file are also tested there.
+Line 1 defines a chain. The name of this chain is "input". The type is 
"filter",
+the hook is "input" and the priority is 0.
 
-Line 4 defines the chain. The name of this chain is "input". The type is
-"filter", the hook is "input" and the priority is 0.
+Line 2 defines a table. The name of the table is 'test-ipv4', the family is ip
+and the chain to be added to it is 'input'. Lines 3 and 4 defines more tables 
for
+different families so the rules in this test file are also tested there.
 
 Line 5 defines the rule, the ";" character is used as separator of several
 parts:
-- 
ecklm

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 1/7] test: Specify python version in nft-test.py

[Máté Eckl]

/usr/bin/python is linked to different main version of python in
different distributions (eg. 2 on debian, 3 on arch linux).

Signed-off-by: Máté Eckl 
---
 tests/py/nft-test.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index a41b95d..88a3b21 100755
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python2
 #
 # (C) 2014 by Ana Rey Botello 
 #
-- 
ecklm

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 6/7] test: py: Added paylad file description to README

[Máté Eckl]

Signed-off-by: Máté Eckl 
---
 tests/py/README | 29 ++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/tests/py/README b/tests/py/README
index 0e12dfa..ed5dc58 100644
--- a/tests/py/README
+++ b/tests/py/README
@@ -104,7 +104,30 @@ Line 8 adds two elements into the 'set1' set: 
"192.168.3.8" and
 
 Line 9 uses the "#" symbol that means that this line is commented out.
 
-D) The test folders
+D) What is a payload file?
+
+A payload file contains info about the netlink message exchanged to achieve the
+transaction.
+
+The output can be generated in two ways. Let's see an example via socket
+matching.
+
+   # generate an empty payload file
+   $ touch inet/socket.t.payload
+
+   $ ./nft-test.py inet/socket.t # this will generate inet/socket.t.payload.got
+
+   $ mv inet/socket.t.payload.got inet/socket.t.payload
+
+The other way is using nft --debug=netlink. This has a drawback over the former
+option, as rules has to be run one by one and also a comment has to be added
+before every rule in the payload file.
+
+   $  nft --debug=netlink add rule ip sockip4 sockchain socket exists
+   ip sockip4 sockchain
+ [ match name socket rev 3 ]
+
+E) The test folders
 
 The test files are divided in several directories: ip, ip6, inet, arp,
 bridge and any.
@@ -127,7 +150,7 @@ bridge and any.
  * "any" folder: Here are the test files are executed in ip, ip6, inet,
arp and bridge tables.
 
-E) Meaning of messages:
+F) Meaning of messages:
 
 * A warning message means the rule input and output of nft mismatches.
 * An error message means the nft-tool shows an error when we add it or
@@ -135,7 +158,7 @@ E) Meaning of messages:
 * An info message means something that is not necessarily related to any test
   case and does not indicate faulty behaviour.
 
-F) Acknowledgements
+G) Acknowledgements
 
 Thanks to the Outreach Program for Women (OPW) for sponsoring this test
 infrastructure and my mentor Pablo Neira.
-- 
ecklm

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 7/7] test: py: Make diff functions use print_* functions

[Máté Eckl]

Signed-off-by: Máté Eckl 
---
 tests/py/nft-test.py | 10 --
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index b536e9c..edc0b4b 100755
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -161,15 +161,13 @@ def color_differences(rule, other, color):
 def print_differences_warning(filename, lineno, rule1, rule2, cmd):
 colored_rule1 = color_differences(rule1, rule2, Colors.YELLOW)
 colored_rule2 = color_differences(rule2, rule1, Colors.YELLOW)
-reason = "'" + colored_rule1 + "' mismatches '" + colored_rule2 + "'"
-print filename + ": " + Colors.YELLOW + "WARNING: " + Colors.ENDC + \
-  "line: " + str(lineno + 1) + ": '" + cmd + "': " + reason
+reason = "'%s': '%s' mismatches '%s'" % (cmd, colored_rule1, colored_rule2)
+print_warning(reason, filename, lineno)
 
 
 def print_differences_error(filename, lineno, cmd):
-reason = "Listing is broken."
-print filename + ": " + Colors.RED + "ERROR: " + Colors.ENDC + "line: " + \
-  str(lineno + 1) + ": '" + cmd + "': " + reason
+reason = "'%s': Listing is broken." % cmd
+print_error(reason, filename, lineno)
 
 
 def table_exist(table, filename, lineno):
-- 
ecklm

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 2/2] test: Added test cases for socket matching

[Máté Eckl]

Signed-off-by: Máté Eckl 
---
 tests/py/inet/socket.t | 10 ++
 tests/py/inet/socket.t.payload |  8 
 2 files changed, 18 insertions(+)
 create mode 100644 tests/py/inet/socket.t
 create mode 100644 tests/py/inet/socket.t.payload

diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t
new file mode 100644
index 000..7782c3c
--- /dev/null
+++ b/tests/py/inet/socket.t
@@ -0,0 +1,10 @@
+:sockchain;type filter hook prerouting priority -150
+
+*ip;sockip4;sockchain
+*ip6;sockip6;sockchain
+
+# For now, it does not work for inet tables
+
+socket exists;ok
+socket flags transparent;ok
+
diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload
new file mode 100644
index 000..05ece70
--- /dev/null
+++ b/tests/py/inet/socket.t.payload
@@ -0,0 +1,8 @@
+# socket exists
+ip sockip4 sockchain 
+  [ match name socket rev 3 ]
+
+# socket flags transparent
+ip sockip4 sockchain 
+  [ match name socket rev 3 ]
+
-- 
ecklm

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 2/7] test: Small typo fixes in the python tests README

[Máté Eckl]

Signed-off-by: Máté Eckl 
---
 tests/py/README | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/py/README b/tests/py/README
index 66f706f..005fe8e 100644
--- a/tests/py/README
+++ b/tests/py/README
@@ -77,7 +77,7 @@ Here, an example of a test file:
?set1 192.168.3.8 192.168.3.9;ok# line 8
# This is a commented-line. # line 9
 
-Line 1 defines a table. The name of the table is 'test-ip' and the
+Line 1 defines a table. The name of the table is 'test-ipv4' and the
 family is ip. Lines 2 and 3 defines more tables for different families
 so the rules in this test file are also tested there.
 
@@ -97,7 +97,7 @@ Line 6 is a marked line. This means that this rule is tested 
if
 '-e' is passed as argument to nft-test.py.
 
 Line 7 adds a new set. The name of this set is "set1" and the type
-of this set is "ipv4_add".
+of this set is "ipv4_addr".
 
 Line 8 adds two elements into the 'set1' set: "192.168.3.8" and
 "192.168.3.9". A whitespace separates the elements of the set.
-- 
ecklm

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 11/40] ipv6/flowlabel: simplify pid namespace lookup

[Christoph Hellwig]

On Thu, May 17, 2018 at 12:28:01AM -0500, Eric W. Biederman wrote:
> > struct pid_namespace *proc_pid_namespace(struct inode *inode)
> > {
> > // maybe warn on for s_magic not on procfs??
> > return inode->i_sb->s_fs_info;
> > }
> 
> That should work.  Ideally out of line for the proc_fs.h version.
> Basically it should be a cousin of PDE_DATA.

The version in Al's tree is inline and without the warning as
I didn't want to drag in the magic.h include.  Please look at it for
additional comments, I can send incremental fixups if needed.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html