Re: [PATCH RFC] nftables: fix surpression of "permission denied" errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jan 09, 2014 at 06:40:25PM +0100, Pablo Neira Ayuso wrote:
> Hi Patrick,
> 
> On Wed, Jan 08, 2014 at 08:58:13PM +0000, Patrick McHardy wrote:
> > commit 8ca6730e9c8fd59d8a03ae505777a8a6b97898b1
> > Author: Patrick McHardy <kaber@xxxxxxxxx>
> > Date:   Wed Jan 8 20:57:11 2014 +0000
> > 
> >     nftables: fix surpression of "permission denied" errors
> >     
> >     ntroduction of batch support broke displaying of EPERM since those are
> >     generated by the kernel before batch processing start and thus have the
> >     sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the
> >     command messages. Also only a single error message is generated for the
> >     entire batch.
> >     
> >     This patch fixes this by noting the batch sequence number and displaying
> >     the error for all commands since this is what would happen if the
> >     permission check was inside batch processing as every other check.
> 
> One error message per line can be too much if we have a big batch,
> perhaps we can just point to the first rule in the batch and print
> something like: "7 error suppressed.", similar to syslog, where 7 is
> the number of rules that follow up after EPERM message.

Well, this was done to stay consistent with any other error type.
We could compress similar errors, but there are a few things to
consider. One is that it might be hard to point to the correct
spot(s) in the error message. Also the output format was chosen to
be similar to gcc so f.i. vi could easily jump to rules causing
errors in a file. For now I think we should apply this patch, which
will treat EPERM like any other error, and then work on something
to reduce the output.

> BTW, with really really big batches, the kernel may fail to allocate
> the acknowledgment. We discussed this already with David, and he
> thinks it doesn't make sense to send such a big message back to
> sender. We can add:
> 
>  void netlink_ack_len(struct sk_buff *in_skb, struct nlmsghdr *nlh,
>                       int err, int len)
> 
> where len specifies the length would be the original netlink header +
> nfnetlink header, so the rules are not sent back to userspace.
> 
> Let me know, thanks!

Why would it depend on the size of the batch? The errors are allocated
for every single message *within* the batch. I agree though that if
we can allocate a smaller message without the full contents, this
is still better than using sk_err. But I guess that should simply
be fallback behaviour of netlink_ack() instead of specifying a
length.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux