On Thu, Jul 12, 2018 at 04:26:54PM +0200, Pablo Neira Ayuso wrote: > On Thu, Jul 12, 2018 at 12:52:16AM +0200, Máté Eckl wrote: > > Signed-off-by: Máté Eckl <ecklm94@xxxxxxxxx> > > --- > > include/uapi/linux/netfilter/nf_tables.h | 4 +++- > > net/netfilter/nft_socket.c | 11 ++++++++++- > > 2 files changed, 13 insertions(+), 2 deletions(-) > > > > diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h > > index 89438e68dc03..f466860bcf75 100644 > > --- a/include/uapi/linux/netfilter/nf_tables.h > > +++ b/include/uapi/linux/netfilter/nf_tables.h > > @@ -921,10 +921,12 @@ enum nft_socket_attributes { > > /* > > * enum nft_socket_keys - nf_tables socket expression keys > > * > > - * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_ > > + * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option > > + * @NFT_SOCKET_MARK: Value of the socket mark > > */ > > enum nft_socket_keys { > > NFT_SOCKET_TRANSPARENT, > > + NFT_SOCKET_MARK, > > __NFT_SOCKET_MAX > > }; > > #define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1) > > diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c > > index 74e1b3bd6954..3f46b2013e26 100644 > > --- a/net/netfilter/nft_socket.c > > +++ b/net/netfilter/nft_socket.c > > @@ -40,7 +40,7 @@ static void nft_socket_eval(const struct nft_expr *expr, > > } > > > > if(!sk) { > > - nft_reg_store8(dest, 0); > > + *dest = 0; > > return; > > I think this should be: > > if (!sk) > regs->verdict.code = NFT_BREAK; > > So we make sure we skip further evaluation, because zero may be a > valid mark. > > or better: > > if (!sk) > goto out: > ... > out: > regs->verdict.code = NFT_BREAK; > > so you consolidate this evaluation break path. > > An initial patch to fix what we have would be good to have. > > > } > > > > @@ -51,6 +51,12 @@ static void nft_socket_eval(const struct nft_expr *expr, > > case NFT_SOCKET_TRANSPARENT: > > nft_reg_store8(dest, inet_sk_transparent(sk)); > > break; > > + case NFT_SOCKET_MARK: > > + if (sk_fullsock(sk)) > > + *dest = inet_request_mark(sk, skb); > > + else > > + *dest = 0; > > Again, better break evaluation here, so I would do: > > if (!sk_fullsock(sk)) > goto out; > > ... > out: > regs->verdict.code = NFT_BREAK; > > Thanks. Thanks for the observation, you are right, it should break evaluation. I'll fix this too. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html