All of lore.kernel.org
 help / color / mirror / Atom feed
From: kernel test robot <lkp@intel.com>
To: Cole Dishington <Cole.Dishington@alliedtelesis.co.nz>,
	pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de,
	davem@davemloft.net, kuba@kernel.org, shuah@kernel.org
Cc: llvm@lists.linux.dev, kbuild-all@lists.01.org,
	linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org, netdev@vger.kernel.org
Subject: Re: [PATCH net v5 1/2] net: netfilter: Limit the number of ftp helper port attempts
Date: Mon, 20 Sep 2021 14:05:28 +0800	[thread overview]
Message-ID: <202109201347.4jUq9C4v-lkp@intel.com> (raw)
In-Reply-To: <20210920005905.9583-2-Cole.Dishington@alliedtelesis.co.nz>

[-- Attachment #1: Type: text/plain, Size: 4475 bytes --]

Hi Cole,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on net/master]

url:    https://github.com/0day-ci/linux/commits/Cole-Dishington/Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210920-090056
base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git e30cd812dffadc58241ae378e48728e6a161becd
config: x86_64-randconfig-a002-20210920 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project c8b3d7d6d6de37af68b2f379d0e37304f78e115f)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/b90b875dc5be3c59ec418ce403a8d749690a24ec
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Cole-Dishington/Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210920-090056
        git checkout b90b875dc5be3c59ec418ce403a8d749690a24ec
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 ARCH=x86_64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

>> net/netfilter/nf_nat_ftp.c:117:37: warning: more '%' conversions than data arguments [-Wformat-insufficient-args]
                   nf_ct_helper_log(skb, ct, "tried %u ports, all were in use");
                                                    ~^
   1 warning generated.


vim +117 net/netfilter/nf_nat_ftp.c

    60	
    61	/* So, this packet has hit the connection tracking matching code.
    62	   Mangle it, and change the expectation to match the new version. */
    63	static unsigned int nf_nat_ftp(struct sk_buff *skb,
    64				       enum ip_conntrack_info ctinfo,
    65				       enum nf_ct_ftp_type type,
    66				       unsigned int protoff,
    67				       unsigned int matchoff,
    68				       unsigned int matchlen,
    69				       struct nf_conntrack_expect *exp)
    70	{
    71		union nf_inet_addr newaddr;
    72		u_int16_t port;
    73		int dir = CTINFO2DIR(ctinfo);
    74		struct nf_conn *ct = exp->master;
    75		unsigned int i, min, max, range_size;
    76		static const unsigned int max_attempts = 128;
    77		char buffer[sizeof("|1||65535|") + INET6_ADDRSTRLEN];
    78		unsigned int buflen;
    79		int ret;
    80	
    81		pr_debug("type %i, off %u len %u\n", type, matchoff, matchlen);
    82	
    83		/* Connection will come from wherever this packet goes, hence !dir */
    84		newaddr = ct->tuplehash[!dir].tuple.dst.u3;
    85		exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
    86		exp->dir = !dir;
    87	
    88		/* When you see the packet, we need to NAT it the same as the
    89		 * this one. */
    90		exp->expectfn = nf_nat_follow_master;
    91	
    92		min = ntohs(exp->saved_proto.tcp.port);
    93		max = 65535;
    94	
    95		/* Try to get same port */
    96		ret = nf_ct_expect_related(exp, 0);
    97	
    98		/* if same port is not in range or available, try to change it. */
    99		if (ret != 0) {
   100			range_size = max - min + 1;
   101			if (range_size > max_attempts)
   102				range_size = max_attempts;
   103	
   104			port = min + prandom_u32_max(max - min);
   105			for (i = 0; i < range_size; i++) {
   106				exp->tuple.dst.u.tcp.port = htons(port);
   107				ret = nf_ct_expect_related(exp, 0);
   108				if (ret != -EBUSY)
   109					break;
   110				port++;
   111				if (port > max)
   112					port = min;
   113			}
   114		}
   115	
   116		if (ret != 0) {
 > 117			nf_ct_helper_log(skb, ct, "tried %u ports, all were in use");
   118			return NF_DROP;
   119		}
   120	
   121		buflen = nf_nat_ftp_fmt_cmd(ct, type, buffer, sizeof(buffer),
   122					    &newaddr, port);
   123		if (!buflen)
   124			goto out;
   125	
   126		pr_debug("calling nf_nat_mangle_tcp_packet\n");
   127	
   128		if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff, matchoff,
   129					      matchlen, buffer, buflen))
   130			goto out;
   131	
   132		return NF_ACCEPT;
   133	
   134	out:
   135		nf_ct_helper_log(skb, ct, "cannot mangle packet");
   136		nf_ct_unexpect_related(exp);
   137		return NF_DROP;
   138	}
   139	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 37628 bytes --]

WARNING: multiple messages have this Message-ID (diff)
From: kernel test robot <lkp@intel.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH net v5 1/2] net: netfilter: Limit the number of ftp helper port attempts
Date: Mon, 20 Sep 2021 14:05:28 +0800	[thread overview]
Message-ID: <202109201347.4jUq9C4v-lkp@intel.com> (raw)
In-Reply-To: <20210920005905.9583-2-Cole.Dishington@alliedtelesis.co.nz>

[-- Attachment #1: Type: text/plain, Size: 4594 bytes --]

Hi Cole,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on net/master]

url:    https://github.com/0day-ci/linux/commits/Cole-Dishington/Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210920-090056
base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git e30cd812dffadc58241ae378e48728e6a161becd
config: x86_64-randconfig-a002-20210920 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project c8b3d7d6d6de37af68b2f379d0e37304f78e115f)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/b90b875dc5be3c59ec418ce403a8d749690a24ec
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Cole-Dishington/Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210920-090056
        git checkout b90b875dc5be3c59ec418ce403a8d749690a24ec
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 ARCH=x86_64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

>> net/netfilter/nf_nat_ftp.c:117:37: warning: more '%' conversions than data arguments [-Wformat-insufficient-args]
                   nf_ct_helper_log(skb, ct, "tried %u ports, all were in use");
                                                    ~^
   1 warning generated.


vim +117 net/netfilter/nf_nat_ftp.c

    60	
    61	/* So, this packet has hit the connection tracking matching code.
    62	   Mangle it, and change the expectation to match the new version. */
    63	static unsigned int nf_nat_ftp(struct sk_buff *skb,
    64				       enum ip_conntrack_info ctinfo,
    65				       enum nf_ct_ftp_type type,
    66				       unsigned int protoff,
    67				       unsigned int matchoff,
    68				       unsigned int matchlen,
    69				       struct nf_conntrack_expect *exp)
    70	{
    71		union nf_inet_addr newaddr;
    72		u_int16_t port;
    73		int dir = CTINFO2DIR(ctinfo);
    74		struct nf_conn *ct = exp->master;
    75		unsigned int i, min, max, range_size;
    76		static const unsigned int max_attempts = 128;
    77		char buffer[sizeof("|1||65535|") + INET6_ADDRSTRLEN];
    78		unsigned int buflen;
    79		int ret;
    80	
    81		pr_debug("type %i, off %u len %u\n", type, matchoff, matchlen);
    82	
    83		/* Connection will come from wherever this packet goes, hence !dir */
    84		newaddr = ct->tuplehash[!dir].tuple.dst.u3;
    85		exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
    86		exp->dir = !dir;
    87	
    88		/* When you see the packet, we need to NAT it the same as the
    89		 * this one. */
    90		exp->expectfn = nf_nat_follow_master;
    91	
    92		min = ntohs(exp->saved_proto.tcp.port);
    93		max = 65535;
    94	
    95		/* Try to get same port */
    96		ret = nf_ct_expect_related(exp, 0);
    97	
    98		/* if same port is not in range or available, try to change it. */
    99		if (ret != 0) {
   100			range_size = max - min + 1;
   101			if (range_size > max_attempts)
   102				range_size = max_attempts;
   103	
   104			port = min + prandom_u32_max(max - min);
   105			for (i = 0; i < range_size; i++) {
   106				exp->tuple.dst.u.tcp.port = htons(port);
   107				ret = nf_ct_expect_related(exp, 0);
   108				if (ret != -EBUSY)
   109					break;
   110				port++;
   111				if (port > max)
   112					port = min;
   113			}
   114		}
   115	
   116		if (ret != 0) {
 > 117			nf_ct_helper_log(skb, ct, "tried %u ports, all were in use");
   118			return NF_DROP;
   119		}
   120	
   121		buflen = nf_nat_ftp_fmt_cmd(ct, type, buffer, sizeof(buffer),
   122					    &newaddr, port);
   123		if (!buflen)
   124			goto out;
   125	
   126		pr_debug("calling nf_nat_mangle_tcp_packet\n");
   127	
   128		if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff, matchoff,
   129					      matchlen, buffer, buflen))
   130			goto out;
   131	
   132		return NF_ACCEPT;
   133	
   134	out:
   135		nf_ct_helper_log(skb, ct, "cannot mangle packet");
   136		nf_ct_unexpect_related(exp);
   137		return NF_DROP;
   138	}
   139	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 37628 bytes --]

  parent reply	other threads:[~2021-09-20  6:06 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-20  0:59 [PATCH net v5 0/2] Fix port selection of FTP for NF_NAT_RANGE_PROTO_SPECIFIED Cole Dishington
2021-09-20  0:59 ` [PATCH net v5 1/2] net: netfilter: Limit the number of ftp helper port attempts Cole Dishington
2021-09-20  5:09   ` kernel test robot
2021-09-20  5:09     ` kernel test robot
2021-09-20  6:05   ` kernel test robot [this message]
2021-09-20  6:05     ` kernel test robot
2021-09-20  7:22   ` Florian Westphal
2021-09-20  0:59 ` [PATCH net v5 2/2] net: netfilter: Fix port selection of FTP for NF_NAT_RANGE_PROTO_SPECIFIED Cole Dishington
2021-09-20  7:23   ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202109201347.4jUq9C4v-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=Cole.Dishington@alliedtelesis.co.nz \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=fw@strlen.de \
    --cc=kadlec@netfilter.org \
    --cc=kbuild-all@lists.01.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=shuah@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.