From: kernel test robot <lkp@intel.com>
To: Cole Dishington <Cole.Dishington@alliedtelesis.co.nz>,
pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de,
davem@davemloft.net, kuba@kernel.org, shuah@kernel.org
Cc: llvm@lists.linux.dev, kbuild-all@lists.01.org,
linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org, netdev@vger.kernel.org
Subject: Re: [PATCH net v5 1/2] net: netfilter: Limit the number of ftp helper port attempts
Date: Mon, 20 Sep 2021 14:05:28 +0800 [thread overview]
Message-ID: <202109201347.4jUq9C4v-lkp@intel.com> (raw)
In-Reply-To: <20210920005905.9583-2-Cole.Dishington@alliedtelesis.co.nz>
[-- Attachment #1: Type: text/plain, Size: 4475 bytes --]
Hi Cole,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on net/master]
url: https://github.com/0day-ci/linux/commits/Cole-Dishington/Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210920-090056
base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git e30cd812dffadc58241ae378e48728e6a161becd
config: x86_64-randconfig-a002-20210920 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project c8b3d7d6d6de37af68b2f379d0e37304f78e115f)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/b90b875dc5be3c59ec418ce403a8d749690a24ec
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Cole-Dishington/Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210920-090056
git checkout b90b875dc5be3c59ec418ce403a8d749690a24ec
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
>> net/netfilter/nf_nat_ftp.c:117:37: warning: more '%' conversions than data arguments [-Wformat-insufficient-args]
nf_ct_helper_log(skb, ct, "tried %u ports, all were in use");
~^
1 warning generated.
vim +117 net/netfilter/nf_nat_ftp.c
60
61 /* So, this packet has hit the connection tracking matching code.
62 Mangle it, and change the expectation to match the new version. */
63 static unsigned int nf_nat_ftp(struct sk_buff *skb,
64 enum ip_conntrack_info ctinfo,
65 enum nf_ct_ftp_type type,
66 unsigned int protoff,
67 unsigned int matchoff,
68 unsigned int matchlen,
69 struct nf_conntrack_expect *exp)
70 {
71 union nf_inet_addr newaddr;
72 u_int16_t port;
73 int dir = CTINFO2DIR(ctinfo);
74 struct nf_conn *ct = exp->master;
75 unsigned int i, min, max, range_size;
76 static const unsigned int max_attempts = 128;
77 char buffer[sizeof("|1||65535|") + INET6_ADDRSTRLEN];
78 unsigned int buflen;
79 int ret;
80
81 pr_debug("type %i, off %u len %u\n", type, matchoff, matchlen);
82
83 /* Connection will come from wherever this packet goes, hence !dir */
84 newaddr = ct->tuplehash[!dir].tuple.dst.u3;
85 exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
86 exp->dir = !dir;
87
88 /* When you see the packet, we need to NAT it the same as the
89 * this one. */
90 exp->expectfn = nf_nat_follow_master;
91
92 min = ntohs(exp->saved_proto.tcp.port);
93 max = 65535;
94
95 /* Try to get same port */
96 ret = nf_ct_expect_related(exp, 0);
97
98 /* if same port is not in range or available, try to change it. */
99 if (ret != 0) {
100 range_size = max - min + 1;
101 if (range_size > max_attempts)
102 range_size = max_attempts;
103
104 port = min + prandom_u32_max(max - min);
105 for (i = 0; i < range_size; i++) {
106 exp->tuple.dst.u.tcp.port = htons(port);
107 ret = nf_ct_expect_related(exp, 0);
108 if (ret != -EBUSY)
109 break;
110 port++;
111 if (port > max)
112 port = min;
113 }
114 }
115
116 if (ret != 0) {
> 117 nf_ct_helper_log(skb, ct, "tried %u ports, all were in use");
118 return NF_DROP;
119 }
120
121 buflen = nf_nat_ftp_fmt_cmd(ct, type, buffer, sizeof(buffer),
122 &newaddr, port);
123 if (!buflen)
124 goto out;
125
126 pr_debug("calling nf_nat_mangle_tcp_packet\n");
127
128 if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff, matchoff,
129 matchlen, buffer, buflen))
130 goto out;
131
132 return NF_ACCEPT;
133
134 out:
135 nf_ct_helper_log(skb, ct, "cannot mangle packet");
136 nf_ct_unexpect_related(exp);
137 return NF_DROP;
138 }
139
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 37628 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: kernel test robot <lkp@intel.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH net v5 1/2] net: netfilter: Limit the number of ftp helper port attempts
Date: Mon, 20 Sep 2021 14:05:28 +0800 [thread overview]
Message-ID: <202109201347.4jUq9C4v-lkp@intel.com> (raw)
In-Reply-To: <20210920005905.9583-2-Cole.Dishington@alliedtelesis.co.nz>
[-- Attachment #1: Type: text/plain, Size: 4594 bytes --]
Hi Cole,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on net/master]
url: https://github.com/0day-ci/linux/commits/Cole-Dishington/Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210920-090056
base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git e30cd812dffadc58241ae378e48728e6a161becd
config: x86_64-randconfig-a002-20210920 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project c8b3d7d6d6de37af68b2f379d0e37304f78e115f)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/b90b875dc5be3c59ec418ce403a8d749690a24ec
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Cole-Dishington/Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210920-090056
git checkout b90b875dc5be3c59ec418ce403a8d749690a24ec
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
>> net/netfilter/nf_nat_ftp.c:117:37: warning: more '%' conversions than data arguments [-Wformat-insufficient-args]
nf_ct_helper_log(skb, ct, "tried %u ports, all were in use");
~^
1 warning generated.
vim +117 net/netfilter/nf_nat_ftp.c
60
61 /* So, this packet has hit the connection tracking matching code.
62 Mangle it, and change the expectation to match the new version. */
63 static unsigned int nf_nat_ftp(struct sk_buff *skb,
64 enum ip_conntrack_info ctinfo,
65 enum nf_ct_ftp_type type,
66 unsigned int protoff,
67 unsigned int matchoff,
68 unsigned int matchlen,
69 struct nf_conntrack_expect *exp)
70 {
71 union nf_inet_addr newaddr;
72 u_int16_t port;
73 int dir = CTINFO2DIR(ctinfo);
74 struct nf_conn *ct = exp->master;
75 unsigned int i, min, max, range_size;
76 static const unsigned int max_attempts = 128;
77 char buffer[sizeof("|1||65535|") + INET6_ADDRSTRLEN];
78 unsigned int buflen;
79 int ret;
80
81 pr_debug("type %i, off %u len %u\n", type, matchoff, matchlen);
82
83 /* Connection will come from wherever this packet goes, hence !dir */
84 newaddr = ct->tuplehash[!dir].tuple.dst.u3;
85 exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
86 exp->dir = !dir;
87
88 /* When you see the packet, we need to NAT it the same as the
89 * this one. */
90 exp->expectfn = nf_nat_follow_master;
91
92 min = ntohs(exp->saved_proto.tcp.port);
93 max = 65535;
94
95 /* Try to get same port */
96 ret = nf_ct_expect_related(exp, 0);
97
98 /* if same port is not in range or available, try to change it. */
99 if (ret != 0) {
100 range_size = max - min + 1;
101 if (range_size > max_attempts)
102 range_size = max_attempts;
103
104 port = min + prandom_u32_max(max - min);
105 for (i = 0; i < range_size; i++) {
106 exp->tuple.dst.u.tcp.port = htons(port);
107 ret = nf_ct_expect_related(exp, 0);
108 if (ret != -EBUSY)
109 break;
110 port++;
111 if (port > max)
112 port = min;
113 }
114 }
115
116 if (ret != 0) {
> 117 nf_ct_helper_log(skb, ct, "tried %u ports, all were in use");
118 return NF_DROP;
119 }
120
121 buflen = nf_nat_ftp_fmt_cmd(ct, type, buffer, sizeof(buffer),
122 &newaddr, port);
123 if (!buflen)
124 goto out;
125
126 pr_debug("calling nf_nat_mangle_tcp_packet\n");
127
128 if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff, matchoff,
129 matchlen, buffer, buflen))
130 goto out;
131
132 return NF_ACCEPT;
133
134 out:
135 nf_ct_helper_log(skb, ct, "cannot mangle packet");
136 nf_ct_unexpect_related(exp);
137 return NF_DROP;
138 }
139
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 37628 bytes --]
next prev parent reply other threads:[~2021-09-20 6:06 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-20 0:59 [PATCH net v5 0/2] Fix port selection of FTP for NF_NAT_RANGE_PROTO_SPECIFIED Cole Dishington
2021-09-20 0:59 ` [PATCH net v5 1/2] net: netfilter: Limit the number of ftp helper port attempts Cole Dishington
2021-09-20 5:09 ` kernel test robot
2021-09-20 5:09 ` kernel test robot
2021-09-20 6:05 ` kernel test robot [this message]
2021-09-20 6:05 ` kernel test robot
2021-09-20 7:22 ` Florian Westphal
2021-09-20 0:59 ` [PATCH net v5 2/2] net: netfilter: Fix port selection of FTP for NF_NAT_RANGE_PROTO_SPECIFIED Cole Dishington
2021-09-20 7:23 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202109201347.4jUq9C4v-lkp@intel.com \
--to=lkp@intel.com \
--cc=Cole.Dishington@alliedtelesis.co.nz \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=kbuild-all@lists.01.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.