Re: [PATCH nf-next] netfilter: add support for matching IPv4 options

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Stephen Suryaputra <ssuryaextr@gmail.com>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH nf-next] netfilter: add support for matching IPv4 options
Date: Mon, 10 Jun 2019 17:50:55 +0200	[thread overview]
Message-ID: <20190610155055.a3o7yx25j3jlwzgs@salvia> (raw)
In-Reply-To: <20190602022706.GA24477@ubuntu>

On Sat, Jun 01, 2019 at 10:27:06PM -0400, Stephen Suryaputra wrote:
> On Mon, Jun 03, 2019 at 02:30:06PM +0200, Pablo Neira Ayuso wrote:
> > > I developed this patchset to suit my employer needs and there is no plan
> > > for a follow up patchset, however I think non-zero offset might be useful
> > > in the future for tunneled packets.
> > 
> > For tunneled traffic, we can store the network offset in the
> > nft_pktinfo object. Then, add a new extension to update this network
> > offset to point to the network offset inside the tunnel header, and
> > use this pkt->network_offset everywhere.
> 
> OK. I'm changing so that offset isn't being used as input. But, it's
> still being passed as reference for output. See further response
> below...
> 
> > I think this new IPv4 options extension should use priv->offset to
> > match fields inside the IPv4 option specifically, just like in the
> > IPv6 extensions and TCP options do. If you look on how the
> > priv->offset is used in the existing code, this offset points to
> > values that the specific option field conveys.
> 
> I believe that's what I have coded:
> 
> 	err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type, NULL, NULL);
> 	if (priv->flags & NFT_EXTHDR_F_PRESENT) {
> 		*dest = (err >= 0);
> 		return;
> 	} else if (err < 0) {
> 		goto err;
> 	}
> 	offset += priv->offset;
> 
> offset is returned as the offset where it matches the sought priv->type
> then priv->offset is added to get to the right field between the offset.

I see, thanks for explaining.

I got me confused when I read this:

+ * Note that *offset is used as input/output parameter, and if it is not zero,
+ * then it must be a valid offset to an inner IPv4 header. This can be used
+ * to explore inner IPv4 header, eg. ICMP error messages.

I thought this is how the new extension for nftables is working. Not
the function.

And then, this chunk:

+       if (!offset)
+               return -EINVAL;

This never happens, right? offset is always set.

+       if (!*offset)
+               *offset = skb_network_offset(skb);

So this is not needed either.

I would remove those, you can add more code to ipv4_find_option()
later on as you get more clients in the networking tree. I'd suggest,
better remove code that is not used yet, then introduce it once
needed.

> If this is satisfactory, I can submit v2 of the kernel patch.

Please do so, so you get more feedback (if needed) and we move on :-)

Thanks!