Re: [PATCH nf-next,RFC 08/10] netfilter: move NF_QUEUE handling away from core

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 13 Oct 2016 17:04:23 +0200



On Thu, Oct 13, 2016 at 02:38:21PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
[...]
> > diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
> > index de4fa03f46f3..7040842c34f4 100644
> > --- a/net/ipv4/netfilter/ip_tables.c
> > +++ b/net/ipv4/netfilter/ip_tables.c
> > @@ -29,6 +29,7 @@
> >  #include <linux/netfilter/x_tables.h>
> >  #include <linux/netfilter_ipv4/ip_tables.h>
> >  #include <net/netfilter/nf_log.h>
> > +#include <net/netfilter/nf_queue.h>
> >  #include "../../netfilter/xt_repldata.h"
> >  
> >  MODULE_LICENSE("GPL");
> > @@ -329,6 +330,9 @@ ipt_do_table(struct sk_buff *skb,
> >  				/* Pop from stack? */
> >  				if (v != XT_RETURN) {
> >  					verdict = (unsigned int)(-v) - 1;
> > +					if (verdict == NF_QUEUE)
> > +						verdict = nf_queue(skb, state,
> > +								   0, false);
> 
> Any reason why this is needed?
> AFAICS xt_NFQUEUE will never return NF_QUEUE after this patch.

-j QUEUE uses the standard target to return NF_QUEUE. This is very
primitive way to queue packets to userspace queue 0 via nf_queue, but
still may break. I can place this under unlikely() as these days
people should be using NFQUEUE instead.

> > diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> > index 2b3b2f8e39c4..9ae2febd86e3 100644
> > --- a/net/netfilter/core.c
> > +++ b/net/netfilter/core.c
> > @@ -309,6 +309,7 @@ unsigned int nf_iterate(struct sk_buff *skb,
> >  	unsigned int verdict;
> >  
> >  	while (*entryp) {
> > +		RCU_INIT_POINTER(state->hook_entries, *entryp);
> >  repeat:
> >  		verdict = (*entryp)->ops.hook((*entryp)->ops.priv, skb, state);
> >  		if (verdict != NF_ACCEPT) {
> > @@ -331,9 +332,8 @@ int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state)
> >  	int ret;
> >  
> >  	entry = rcu_dereference(state->hook_entries);
> > -next_hook:
> >  	verdict = nf_iterate(skb, state, &entry);
> > -	switch (verdict & NF_VERDICT_MASK) {
> > +	switch (verdict) {
> 
> This looks buggy, verdict might encode errno for NF_DROP case.
> 
> What you could do is:
> 
> switch (verdict) {
> case NF_ACCEPT:
>        	/* something */
> 	break;
> case NF_STOLEN:
> 	break;
> case NF_DROP: /* fallthrough */
> default: /* drop with error? */
> 	kfree_skb(skb);
> 	errno = ...
> }

Right, will fix this, thanks. 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html