Hi,
I'm sorry for this email in Spanish, I forgot to trim off Cc when
reviewing some cosmestic stuff.
On Thu, Jul 12, 2018 at 10:18:32PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jul 12, 2018 at 12:34:14PM +0200, Fernando Fernandez Mancera wrote:
> > Added _ADD and _REMOVE commands to nf_tables_api.c in order to use the
> > nf_tables interface to add 'osf' signatures in nft.
> >
> > Signed-off-by: Fernando Fernandez Mancera <ffmancera@xxxxxxxxxx>
> > ---
> > include/net/netfilter/nf_tables_core.h | 2 +
> > include/uapi/linux/netfilter/nf_osf.h | 8 ++
> > include/uapi/linux/netfilter/nf_tables.h | 14 +++
> > include/uapi/linux/netfilter/xt_osf.h | 7 +-
> > net/netfilter/nf_tables_api.c | 110 +++++++++++++++++++++++
> > net/netfilter/nft_osf.c | 1 +
> > 6 files changed, 136 insertions(+), 6 deletions(-)
> >
> > diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h
> > index e0c0c2558ec4..ee7eabc8d3e1 100644
> > --- a/include/net/netfilter/nf_tables_core.h
> > +++ b/include/net/netfilter/nf_tables_core.h
> > @@ -65,4 +65,6 @@ extern const struct nft_expr_ops nft_payload_fast_ops;
> > extern struct static_key_false nft_counters_enabled;
> > extern struct static_key_false nft_trace_enabled;
> >
> > +extern struct list_head nft_osf_fingers[2];
> > +
> > #endif /* _NET_NF_TABLES_CORE_H */
> > diff --git a/include/uapi/linux/netfilter/nf_osf.h b/include/uapi/linux/netfilter/nf_osf.h
> > index 79882b2f7f8e..35352c1cd994 100644
> > --- a/include/uapi/linux/netfilter/nf_osf.h
> > +++ b/include/uapi/linux/netfilter/nf_osf.h
> > @@ -2,6 +2,8 @@
> > #define _NF_OSF_H
> >
> > #include <linux/types.h>
> > +#include <linux/ip.h>
> > +#include <linux/tcp.h>
> >
> > #define MAXGENRELEN 32
> >
> > @@ -90,4 +92,10 @@ enum iana_options {
> > OSFOPT_EMPTY = 255,
> > };
> >
> > +enum nf_osf_attr_type {
> > + OSF_ATTR_UNSPEC,
> > + OSF_ATTR_FINGER,
> > + OSF_ATTR_MAX,
> > +};
> > +
> > #endif /* _NF_OSF_H */
> > diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> > index c9bf74b94f37..beffa2010b20 100644
> > --- a/include/uapi/linux/netfilter/nf_tables.h
> > +++ b/include/uapi/linux/netfilter/nf_tables.h
> > @@ -9,6 +9,8 @@
> > #define NFT_OBJ_MAXNAMELEN NFT_NAME_MAXLEN
> > #define NFT_USERDATA_MAXLEN 256
> >
> > +#define OSF_GENRE_SIZE 32
> > +
> > /**
> > * enum nft_registers - nf_tables registers
> > *
> > @@ -122,6 +124,8 @@ enum nf_tables_msg_types {
> > NFT_MSG_NEWFLOWTABLE,
> > NFT_MSG_GETFLOWTABLE,
> > NFT_MSG_DELFLOWTABLE,
> > + NFT_MSG_NEWOSF,
> > + NFT_MSG_DELOSF,
> > NFT_MSG_MAX,
> > };
> >
> > @@ -1461,6 +1465,16 @@ enum nft_flowtable_hook_attributes {
> > };
> > #define NFTA_FLOWTABLE_HOOK_MAX (__NFTA_FLOWTABLE_HOOK_MAX - 1)
> >
> > +enum nft_osf_attributes {
> > + NFTA_OSF_UNSPEC,
> > + NFTA_OSF_GENRE,
> > + NFTA_OSF_FLAGS,
> > + NFTA_OSF_LOGLEVEL,
> > + NFTA_OSF_TTL,
> > + __NFTA_OSF_MAX,
> > +};
> > +#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1)
> > +
> > /**
> > * enum nft_device_attributes - nf_tables device netlink attributes
> > *
> > diff --git a/include/uapi/linux/netfilter/xt_osf.h b/include/uapi/linux/netfilter/xt_osf.h
> > index 2f5d4e6d0434..b7c0f93fe9d4 100644
> > --- a/include/uapi/linux/netfilter/xt_osf.h
> > +++ b/include/uapi/linux/netfilter/xt_osf.h
> > @@ -51,6 +51,7 @@
> > #define xt_osf_finger nf_osf_finger
> > #define xt_osf_nlmsg nf_osf_nlmsg
> >
> > +#define xt_osf_attr_type nf_osf_attr_type
> > /*
> > * Add/remove fingerprint from the kernel.
> > */
> > @@ -60,10 +61,4 @@ enum xt_osf_msg_types {
> > OSF_MSG_MAX,
> > };
> >
> > -enum xt_osf_attr_type {
> > - OSF_ATTR_UNSPEC,
> > - OSF_ATTR_FINGER,
> > - OSF_ATTR_MAX,
> > -};
> > -
> > #endif /* _XT_OSF_H */
> > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > index ca4c4d994ddb..1783d8ef658c 100644
> > --- a/net/netfilter/nf_tables_api.c
> > +++ b/net/netfilter/nf_tables_api.c
> > @@ -17,6 +17,7 @@
> > #include <linux/netfilter.h>
> > #include <linux/netfilter/nfnetlink.h>
> > #include <linux/netfilter/nf_tables.h>
> > +#include <linux/netfilter/nf_osf.h>
> > #include <net/netfilter/nf_flow_table.h>
> > #include <net/netfilter/nf_tables_core.h>
> > #include <net/netfilter/nf_tables.h>
> > @@ -26,6 +27,7 @@
> > static LIST_HEAD(nf_tables_expressions);
> > static LIST_HEAD(nf_tables_objects);
> > static LIST_HEAD(nf_tables_flowtables);
> > +
>
> Por favor, evita este ruido en los parche.
>
> > static u64 table_handle;
> >
> > enum {
> > @@ -5851,6 +5853,8 @@ static int nf_tables_flowtable_event(struct notifier_block *this,
> > return NOTIFY_DONE;
> > }
> >
> > +
> > +
>
> Estas dos líneas nuevas es también ruido, no pertenecen a este
> problema.
>
> > static struct notifier_block nf_tables_flowtable_notifier = {
> > .notifier_call = nf_tables_flowtable_event,
> > };
> > @@ -5908,6 +5912,102 @@ static int nf_tables_getgen(struct net *net, struct sock *nlsk,
> > return err;
> > }
> >
> > +struct list_head nft_osf_fingers[2];
> > +EXPORT_SYMBOL_GPL(nft_osf_fingers);
> > +
> > +static int nf_tables_newosf(struct net *net, struct sock *ctnl,
> > + struct sk_buff *skb, const struct nlmsghdr *nlh,
> > + const struct nlattr * const osf_attrs[],
> > + struct netlink_ext_ack *extack)
> > +{
> > + struct nf_osf_user_finger *f;
> > + struct nf_osf_finger *kf = NULL, *sf;
> > + int err = 0;
> > + int i = 0;
> > +
> > + if (!capable(CAP_NET_ADMIN))
> > + return -EPERM;
> > + if (!osf_attrs[OSF_ATTR_FINGER])
> > + return -EINVAL;
> > +
> > + if (!(nlh->nlmsg_flags & NLM_F_CREATE))
> > + return -EINVAL;
> > +
> > + f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
> > +
> > + kf = kmalloc(sizeof(struct nf_osf_finger), GFP_KERNEL);
> > + if (!kf)
> > + return -ENOMEM;
> > +
> > + for (i = 0; i < ARRAY_SIZE(nft_osf_fingers); ++i)
> > + INIT_LIST_HEAD(&nft_osf_fingers[i]);
> > +
> > + memcpy(&kf->finger, f, sizeof(struct nf_osf_user_finger));
> > +
> > + list_for_each_entry(sf, &nft_osf_fingers[!!f->df], finger_entry) {
> > + if (memcmp(&sf->finger, f, sizeof(struct nf_osf_user_finger)))
> > + continue;
> > +
> > + kfree(kf);
> > + kf = NULL;
> > +
> > + if (nlh->nlmsg_flags & NLM_F_EXCL)
> > + err = -EEXIST;
> > + break;
> > + }
> > +
> > + /*
> > + * We are protected by nfnl mutex.
> > + */
> > + if (kf)
> > + list_add_tail_rcu(&kf->finger_entry, &nft_osf_fingers[!!f->df]);
> > +
> > + return err;
> > +}
> > +
> > +static int nf_tables_delosf(struct net *net, struct sock *ctnl,
> > + struct sk_buff *skb,
> > + const struct nlmsghdr *nlh,
> > + const struct nlattr * const osf_attrs[],
> > + struct netlink_ext_ack *extack)
> > +{
> > + struct nf_osf_user_finger *f;
> > + struct nf_osf_finger *sf;
> > + int err = -ENOENT;
> > +
> > + if (!capable(CAP_NET_ADMIN))
> > + return -EPERM;
> > +
> > + if (!osf_attrs[OSF_ATTR_FINGER])
> > + return -EINVAL;
> > +
> > + f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
> > +
> > + list_for_each_entry(sf, &nft_osf_fingers[!!f->df], finger_entry) {
> > + if (memcmp(&sf->finger, f, sizeof(struct nf_osf_user_finger)))
> > + continue;
> > +
> > + /*
> > + * We are protected by nfnl mutex.
> > + */
> > + list_del_rcu(&sf->finger_entry);
> > + kfree_rcu(sf, rcu_head);
> > +
> > + err = 0;
> > + break;
> > + }
> > +
> > + return err;
> > +}
> > +
> > +static const struct nla_policy nft_osf_policy[NFTA_OSF_MAX + 1] = {
> > + [NFTA_OSF_GENRE] = { .type = NLA_STRING, .len = OSF_GENRE_SIZE },
> > + [NFTA_OSF_FLAGS] = { .type = NLA_U32 },
> > + [NFTA_OSF_LOGLEVEL] = { .type = NLA_U32 },
> > + [NFTA_OSF_TTL] = { .type = NLA_U32 },
> > +};
> > +
> > static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
> > [NFT_MSG_NEWTABLE] = {
> > .call_batch = nf_tables_newtable,
> > @@ -6022,6 +6122,16 @@ static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
> > .attr_count = NFTA_FLOWTABLE_MAX,
> > .policy = nft_flowtable_policy,
> > },
> > + [NFT_MSG_NEWOSF] = {
> > + .call_batch = nf_tables_newosf,
> > + .attr_count = NFTA_OSF_MAX,
> > + .policy = nft_osf_policy,
> > + },
> > + [NFT_MSG_DELOSF] = {
> > + .call_batch = nf_tables_delosf,
> > + .attr_count = NFTA_OSF_MAX,
> > + .policy = nft_osf_policy,
> > + },
> > };
> >
> > static int nf_tables_validate(struct net *net)
> > diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
> > index 30c503f2bf53..cf8a38b052ad 100644
> > --- a/net/netfilter/nft_osf.c
> > +++ b/net/netfilter/nft_osf.c
> > @@ -54,6 +54,7 @@ static int nft_osf_init(const struct nft_ctx *ctx,
> > return -EINVAL;
> > priv->ttl = ntohl(nla_get_be32(tb[NFTA_OSF_TTL]));
> > priv->len = strlen(priv->genre);
> > +
>
> De nuevo línea innecesaria.
>
> Intenta ser meticuloso con lo que presentas, pues da la sensación a
> quien lo envías que no eres cuidadoso con los detalles...
>
> > return 0;
> > }
> >
> > --
> > 2.18.0
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> > the body of a message to majordomo@xxxxxxxxxxxxxxx
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
