From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 8/9] netfilter: nft_hash: do not dump the auto generated seed
Date: Fri, 14 Apr 2017 02:26:50 +0200 [thread overview]
Message-ID: <1492129611-29336-9-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1492129611-29336-1-git-send-email-pablo@netfilter.org>
From: Liping Zhang <zlpnobody@gmail.com>
This can prevent the nft utility from printing out the auto generated
seed to the user, which is unnecessary and confusing.
Fixes: cb1b69b0b15b ("netfilter: nf_tables: add hash expression")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_hash.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index eb2721af898d..c4dad1254ead 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -21,6 +21,7 @@ struct nft_hash {
enum nft_registers sreg:8;
enum nft_registers dreg:8;
u8 len;
+ bool autogen_seed:1;
u32 modulus;
u32 seed;
u32 offset;
@@ -82,10 +83,12 @@ static int nft_hash_init(const struct nft_ctx *ctx,
if (priv->offset + priv->modulus - 1 < priv->offset)
return -EOVERFLOW;
- if (tb[NFTA_HASH_SEED])
+ if (tb[NFTA_HASH_SEED]) {
priv->seed = ntohl(nla_get_be32(tb[NFTA_HASH_SEED]));
- else
+ } else {
+ priv->autogen_seed = true;
get_random_bytes(&priv->seed, sizeof(priv->seed));
+ }
return nft_validate_register_load(priv->sreg, len) &&
nft_validate_register_store(ctx, priv->dreg, NULL,
@@ -105,7 +108,8 @@ static int nft_hash_dump(struct sk_buff *skb,
goto nla_put_failure;
if (nla_put_be32(skb, NFTA_HASH_MODULUS, htonl(priv->modulus)))
goto nla_put_failure;
- if (nla_put_be32(skb, NFTA_HASH_SEED, htonl(priv->seed)))
+ if (!priv->autogen_seed &&
+ nla_put_be32(skb, NFTA_HASH_SEED, htonl(priv->seed)))
goto nla_put_failure;
if (priv->offset != 0)
if (nla_put_be32(skb, NFTA_HASH_OFFSET, htonl(priv->offset)))
--
2.1.4
next prev parent reply other threads:[~2017-04-14 0:26 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-14 0:26 [PATCH 0/9] Netfilter fixes for net Pablo Neira Ayuso
2017-04-14 0:26 ` [PATCH 1/9] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Pablo Neira Ayuso
2017-04-14 0:26 ` [PATCH 2/9] netfilter: ctnetlink: using bit to represent the ct event Pablo Neira Ayuso
2017-04-14 0:26 ` [PATCH 3/9] netfilter: helper: Add the rcu lock when call __nf_conntrack_helper_find Pablo Neira Ayuso
2017-04-14 0:26 ` [PATCH 4/9] netfilter: ctnetlink: make it safer when checking the ct helper name Pablo Neira Ayuso
2017-04-14 0:26 ` [PATCH 5/9] netfilter: make it safer during the inet6_dev->addr_list traversal Pablo Neira Ayuso
2017-04-14 0:26 ` [PATCH 6/9] netfilter: ctnetlink: skip dumping expect when nfct_help(ct) is NULL Pablo Neira Ayuso
2017-04-14 0:26 ` [PATCH 7/9] netfilter: nf_ct_expect: use proper RCU list traversal/update APIs Pablo Neira Ayuso
2017-04-14 0:26 ` Pablo Neira Ayuso [this message]
2017-04-14 0:26 ` [PATCH 9/9] netfilter: ipt_CLUSTERIP: Fix wrong conntrack netns refcnt usage Pablo Neira Ayuso
2017-04-14 14:59 ` [PATCH 0/9] Netfilter fixes for net David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1492129611-29336-9-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.