Hi Phil,
On Sat, Feb 15, 2020 at 11:58:55PM +0100, Phil Sutter wrote:
> Hi Pablo,
>
> On Sat, Feb 15, 2020 at 02:17:13PM +0100, Pablo Neira Ayuso wrote:
> > On Sat, Feb 15, 2020 at 01:43:11AM +0100, Phil Sutter wrote:
> > > Hi Pablo,
> > >
> > > On Fri, Feb 14, 2020 at 06:42:00PM +0100, Pablo Neira Ayuso wrote:
> > > > On Fri, Feb 14, 2020 at 06:34:50PM +0100, Phil Sutter wrote:
> > > > > On Fri, Feb 14, 2020 at 06:32:47PM +0100, Pablo Neira Ayuso wrote:
> > > > > > On Fri, Feb 14, 2020 at 06:24:17PM +0100, Phil Sutter wrote:
> > > > > > > Typical idiom for *_get_u*() getters is to call *_get_data() and make
> > > > > > > sure data_len matches what each of them is returning. Yet they shouldn't
> > > > > > > trust *_get_data() to write into passed pointer to data_len since for
> > > > > > > chains and NFTNL_CHAIN_DEVICES attribute, it does not. Make sure these
> > > > > > > assert() calls trigger in those cases.
> > > > > >
> > > > > > The intention to catch for unset attributes through the assertion,
> > > > > > right?
> > > > >
> > > > > No, this is about making sure that no wrong getter is called, e.g.
> > > > > nftnl_chain_get_u64() with e.g. NFTNL_CHAIN_HOOKNUM attribute which is
> > > > > only 32bits.
> > > >
> > > > I think it will also catch the case I'm asking. If attribute is unset,
> > > > then nftnl_chain_get_data() returns NULL and the assertion checks
> > > > data_len, which has not been properly initialized.
> > >
> > > With nftnl_assert() being (shortened):
> > >
> > > | #define nftnl_assert(val, attr, expr) \
> > > | ((!val || expr) ? \
> > > | (void)0 : __nftnl_assert_fail(attr, __FILE__, __LINE__))
> > >
> > > Check for 'expr' (which is passed as 'data_len == sizeof(<something>)')
> > > will only happen if 'val' is not NULL. Callers then return like so:
> > >
> > > | return val ? *val : 0;
> > >
> > > This means that if you pass an unset attribute to the getter, it will
> > > simply return 0.
> >
> > Thanks for explaining, Phil. If the problem is just
> > NFTNL_CHAIN_DEVICES and NFTNL_FLOWTABLE_DEVICES, probably this is just
> > fine? So zero data-length is reversed for arrays and update
> > nftnl_assert() to skip data_len == 0, ie.
> >
> > > | #define nftnl_assert(val, attr, expr) \
> > > | ((!val || data_len == 0 || expr) ? \
> > > | (void)0 : __nftnl_assert_fail(attr, __FILE__, __LINE__))
>
> Your proposed patch would allow to call e.g.:
>
> | nftnl_chain_get_u32(c, NFTNL_CHAIN_DEVICES)
>
> This would return (uint32_t)*(&c->dev_array[0]), I highly doubt we
> should allow this. Unless I miss something, it is certainly a
> programming error if someone calls any of the nftnl_chain_get_{u,s}*
> getters on NFTNL_CHAIN_DEVICES attribute. So aborting with error message
> in nftnl_assert() is not only OK but actually helpful, no?
Indeed, good point.
I don't think nftnl_flowtable_set_data() is good for these two device
array.
I just sent a patch, I forgot to finish the _set_array() and
_get_array() helpers for the flowtable, the definition in the header
file prooves this.
Can we introduce these new interfaces? Then, update nftables to use it.
Then, at some point, set *data_len = 0 for these array datatypes. Yes,
it's a bit longer term, but better fix this interface. But setting all
these data_len to zero when in most cases it is going to be thereafter
properly set to the datatype length is...
Would this work for you? I know it is not so short term.
