Re: [PATCH -next 5/6] netfilter: Per network namespace netfilter hooks.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> writes:

> On Fri, Jul 10, 2015 at 06:15:06PM -0500, Eric W. Biederman wrote:
>> @@ -102,13 +112,35 @@ int nf_register_hook(struct nf_hook_ops *reg)
>>  #endif
>>  	return 0;
>>  }
>> -EXPORT_SYMBOL(nf_register_hook);
>> +EXPORT_SYMBOL(nf_register_net_hook);
>>  
>> -void nf_unregister_hook(struct nf_hook_ops *reg)
>> +void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg)
>>  {
>> +	struct list_head *nf_hook_list;
>> +	struct nf_hook_ops *elem;
>> +
>> +	nf_hook_list = find_nf_hook_list(net, reg);
>> +	if (!nf_hook_list)
>> +		return;
>> +
>>  	mutex_lock(&nf_hook_mutex);
>> -	list_del_rcu(&reg->list);
>> +	list_for_each_entry(elem, nf_hook_list, list) {
>> +		if ((reg->hook     == elem->hook) &&
>> +		    (reg->dev      == elem->dev) &&
>> +		    (reg->owner    == elem->owner) &&
>> +		    (reg->priv     == elem->priv) &&
>> +		    (reg->pf       == elem->pf) &&
>> +		    (reg->hooknum  == elem->hooknum) &&
>> +		    (reg->priority == elem->priority)) {
>> +			list_del_rcu(&elem->list);
>> +			break;
>> +		}
>> +	}
>
> I think I found a problem with this code above.
>
> If we register two hooks from the same module using exactly the same
> tuple that identifies this, we delete the hook that we don't want, eg.
>
>         nft add table filter
>         nft add chain filter test { type filter hook input priority 0\; }
>         nft add chain filter test2 { type filter hook input priority 0\; }
>
> then, you delete 'test':
>
>         nft delete chain filter test
>
> This will delete 'test2' hook instead of 'test' as it will find this
> in first place on the list.

So we have two adjacent entries on the same chain that perform the exact
same action.  We delete one of them.

I do not see how that is noticable.  Registration order plays a small
role but especially with the priority bit we don't strongly honor
registration order.

In your example above we will distinguish between the two chains
as nf_hook_ops->priv will point the nf tables chain.   So that specific
case is at least safe.

> I think we should add a cookie field that stores the address of the
> original hook object that is passed as parameter, so we are sure we
> kill the right hook.

I don't believe that is necessary.  To the best of my knowledge for a
registration to be meaningful we must always change at least one of
those fields I am comparing.  Typically either priv or hook.

It is a real change from what we have been doing but there is a lot
of freedom in not needing to keep the original structure around.

Eric

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux