Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

2016-06-17 Thread Pablo Neira Ayuso
On Wed, Jun 15, 2016 at 03:13:15PM +, Lubashev, Igor wrote: > Vish, Pablo, > > I wonder about the value of sending more data than a client is > willing to consume (setting aside the important fact that the client > code crashes due to the extra data). > > It seems that we should either drop

Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

2016-06-15 Thread Vishwanath Pai
On 06/15/2016 08:39 AM, Pablo Neira Ayuso wrote: > But nlmsg_len should match len in this. > > If we're just sending a part of the packet to userspace, then we > should adjust nlmsg_len to indicate exactly the netlink message length > that we're sending to userspace. > > Is your patch triggering

Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

2016-06-15 Thread Pablo Neira Ayuso
On Sun, Jun 12, 2016 at 11:40:57PM -0400, Vishwanath Pai wrote: > On 06/09/2016 01:57 PM, Vishwanath Pai wrote: > > On 06/08/2016 08:16 AM, Pablo Neira Ayuso wrote: > >> Looking again at your code: > >> > >> case NFULNL_COPY_PACKET: > >> - if (inst->copy_range > skb->len) >

Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

2016-06-12 Thread Vishwanath Pai
On 06/09/2016 01:57 PM, Vishwanath Pai wrote: > On 06/08/2016 08:16 AM, Pablo Neira Ayuso wrote: >> Looking again at your code: >> >> case NFULNL_COPY_PACKET: >> - if (inst->copy_range > skb->len) >> + data_len = inst->copy_range; >> + if

Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

2016-06-09 Thread Vishwanath Pai
On 06/08/2016 08:16 AM, Pablo Neira Ayuso wrote: > Looking again at your code: > > case NFULNL_COPY_PACKET: > - if (inst->copy_range > skb->len) > + data_len = inst->copy_range; > + if (li->u.ulog.copy_len < data_len) > +

Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

2016-06-07 Thread Vishwanath Pai
On 06/06/2016 06:31 PM, Pablo Neira Ayuso wrote: > On Wed, Jun 01, 2016 at 08:23:54PM -0400, Vishwanath Pai wrote: >> netfilter/nflog: nflog-range does not truncate packets >> >> The --nflog-range parameter from userspace is ignored in the kernel and >> the entire packet is sent to the userspace.

Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

2016-06-06 Thread Pablo Neira Ayuso
On Wed, Jun 01, 2016 at 08:23:54PM -0400, Vishwanath Pai wrote: > netfilter/nflog: nflog-range does not truncate packets > > The --nflog-range parameter from userspace is ignored in the kernel and > the entire packet is sent to the userspace. The per-instance parameter > copy_range still works,

[PATCH] netfilter/nflog: nflog-range does not truncate packets

2016-06-01 Thread Vishwanath Pai
netfilter/nflog: nflog-range does not truncate packets The --nflog-range parameter from userspace is ignored in the kernel and the entire packet is sent to the userspace. The per-instance parameter copy_range still works, with this change --nflog-range will have preference over copy_range.