Re: [PATCH nf-next] netfilter: nf_tables: Expose socket mark

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 12 Jul 2018 16:26:54 +0200

On Thu, Jul 12, 2018 at 12:52:16AM +0200, Máté Eckl wrote:
> Signed-off-by: Máté Eckl <ecklm94@xxxxxxxxx>
> ---
>  include/uapi/linux/netfilter/nf_tables.h |  4 +++-
>  net/netfilter/nft_socket.c               | 11 ++++++++++-
>  2 files changed, 13 insertions(+), 2 deletions(-)
> 
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 89438e68dc03..f466860bcf75 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -921,10 +921,12 @@ enum nft_socket_attributes {
>  /*
>   * enum nft_socket_keys - nf_tables socket expression keys
>   *
> - * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
> + * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
> + * @NFT_SOCKET_MARK: Value of the socket mark
>   */
>  enum nft_socket_keys {
>  	NFT_SOCKET_TRANSPARENT,
> +	NFT_SOCKET_MARK,
>  	__NFT_SOCKET_MAX
>  };
>  #define NFT_SOCKET_MAX	(__NFT_SOCKET_MAX - 1)
> diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
> index 74e1b3bd6954..3f46b2013e26 100644
> --- a/net/netfilter/nft_socket.c
> +++ b/net/netfilter/nft_socket.c
> @@ -40,7 +40,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
>  		}
>  
>  	if(!sk) {
> -		nft_reg_store8(dest, 0);
> +		*dest = 0;
>  		return;

I think this should be:

        if (!sk)
                regs->verdict.code = NFT_BREAK;

So we make sure we skip further evaluation, because zero may be a
valid mark.

or better:

        if (!sk)
                goto out:
        ...
out:
        regs->verdict.code = NFT_BREAK;

so you consolidate this evaluation break path.

An initial patch to fix what we have would be good to have.

>  	}
>  
> @@ -51,6 +51,12 @@ static void nft_socket_eval(const struct nft_expr *expr,
>  	case NFT_SOCKET_TRANSPARENT:
>  		nft_reg_store8(dest, inet_sk_transparent(sk));
>  		break;
> +	case NFT_SOCKET_MARK:
> +		if (sk_fullsock(sk))
> +			*dest = inet_request_mark(sk, skb);
> +		else
> +			*dest = 0;

Again, better break evaluation here, so I would do:

                if (!sk_fullsock(sk))
                        goto out;

...
out:
        regs->verdict.code = NFT_BREAK;

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html