[PATCH net-next 0/3] netfilter: use NF_DROP instead of -NF_DROP

[PATCH net-next 0/3] netfilter: use NF_DROP instead of -NF_DROP

[Jason Xing]

From: Jason Xing <kernelxing@tencent.com>

Just simply replace the -NF_DROP with NF_DROP since it is just zero.

Jason Xing (3):
  netfilter: using NF_DROP in test statement in nf_conntrack_in()
  netfilter: use NF_DROP in iptable_filter_table_init()
  netfilter: use NF_DROP in ip6table_filter_table_init()

 net/ipv4/netfilter/iptable_filter.c  | 2 +-
 net/ipv6/netfilter/ip6table_filter.c | 2 +-
 net/netfilter/nf_conntrack_core.c    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

-- 
2.37.3

[PATCH net-next 1/3] netfilter: using NF_DROP in test statement in nf_conntrack_in()

[Jason Xing]

From: Jason Xing <kernelxing@tencent.com>

At the beginning in 2009 one patch [1] introduced collecting drop
counter in nf_conntrack_in() by returning -NF_DROP. Later, another
patch [2] changed the return value of tcp_packet() which now is
renamed to nf_conntrack_tcp_packet() from -NF_DROP to NF_DROP.

Well, as NF_DROP is equal to 0, inverting NF_DROP makes no sense
as patch [2] did many years ago.

[1]
commit 7d1e04598e5e ("netfilter: nf_conntrack: account packets drop by tcp_packet()")
[2]
commit ec8d540969da ("netfilter: conntrack: fix dropping packet after l4proto->packet()")

Signed-off-by: Jason Xing <kernelxing@tencent.com>
---
 net/netfilter/nf_conntrack_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index c63868666bd9..6102dc09cdd3 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -2024,7 +2024,7 @@ nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state)
 			goto repeat;
 
 		NF_CT_STAT_INC_ATOMIC(state->net, invalid);
-		if (ret == -NF_DROP)
+		if (ret == NF_DROP)
 			NF_CT_STAT_INC_ATOMIC(state->net, drop);
 
 		ret = -ret;
-- 
2.37.3

[PATCH net-next 2/3] netfilter: use NF_DROP in iptable_filter_table_init()

[Jason Xing]

From: Jason Xing <kernelxing@tencent.com>

There is no need to use the negative -NF_DROP because the definition
is just zero.

Signed-off-by: Jason Xing <kernelxing@tencent.com>
---
 net/ipv4/netfilter/iptable_filter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index b9062f4552ac..3ab908b74795 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -44,7 +44,7 @@ static int iptable_filter_table_init(struct net *net)
 		return -ENOMEM;
 	/* Entry 1 is the FORWARD hook */
 	((struct ipt_standard *)repl->entries)[1].target.verdict =
-		forward ? -NF_ACCEPT - 1 : -NF_DROP - 1;
+		forward ? -NF_ACCEPT - 1 : NF_DROP - 1;
 
 	err = ipt_register_table(net, &packet_filter, repl, filter_ops);
 	kfree(repl);
-- 
2.37.3

[PATCH net-next 3/3] netfilter: use NF_DROP in ip6table_filter_table_init()

[Jason Xing]

From: Jason Xing <kernelxing@tencent.com>

There is no need to use the negative -NF_DROP because the definition
is just zero.

Signed-off-by: Jason Xing <kernelxing@tencent.com>
---
 net/ipv6/netfilter/ip6table_filter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index df785ebda0ca..e8992693e14a 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -43,7 +43,7 @@ static int ip6table_filter_table_init(struct net *net)
 		return -ENOMEM;
 	/* Entry 1 is the FORWARD hook */
 	((struct ip6t_standard *)repl->entries)[1].target.verdict =
-		forward ? -NF_ACCEPT - 1 : -NF_DROP - 1;
+		forward ? -NF_ACCEPT - 1 : NF_DROP - 1;
 
 	err = ip6t_register_table(net, &packet_filter, repl, filter_ops);
 	kfree(repl);
-- 
2.37.3

Re: [PATCH net-next 0/3] netfilter: use NF_DROP instead of -NF_DROP

[Pablo Neira Ayuso]

On Mon, Mar 25, 2024 at 11:19:42AM +0800, Jason Xing wrote:
> From: Jason Xing <kernelxing@tencent.com>
>
> Just simply replace the -NF_DROP with NF_DROP since it is just zero.

Single patch for this should be fine, thanks.

There are spots where this happens, and it is not obvious, such as nf_conntrack_in()

        if (protonum == IPPROTO_ICMP || protonum == IPPROTO_ICMPV6) {
                ret = nf_conntrack_handle_icmp(tmpl, skb, dataoff,
                                               protonum, state);
                if (ret <= 0) {
                        ret = -ret;
                        goto out;
                }

removing signed zero seems more in these cases look more complicated.

Re: [PATCH net-next 0/3] netfilter: use NF_DROP instead of -NF_DROP

[Jason Xing]

On Mon, Mar 25, 2024 at 5:19 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Mon, Mar 25, 2024 at 11:19:42AM +0800, Jason Xing wrote:
> > From: Jason Xing <kernelxing@tencent.com>
> >
> > Just simply replace the -NF_DROP with NF_DROP since it is just zero.
>
> Single patch for this should be fine, thanks.

Okay, I thought every patch should be atomic, so I splitted one into
three. I will squash them :)

>
> There are spots where this happens, and it is not obvious, such as nf_conntrack_in()
>
>         if (protonum == IPPROTO_ICMP || protonum == IPPROTO_ICMPV6) {
>                 ret = nf_conntrack_handle_icmp(tmpl, skb, dataoff,
>                                                protonum, state);
>                 if (ret <= 0) {
>                         ret = -ret;

Yep, it's not that obvious.

>                         goto out;
>                 }
>
> removing signed zero seems more in these cases look more complicated.

Yes, so I have no intention to touch them all. The motivation of this
patch is that I traced back to the use of NF_DROP in history and found
out something strange.

I will send a v2 patch soon.

Thanks,
Jason

Re: [PATCH net-next 0/3] netfilter: use NF_DROP instead of -NF_DROP

[Pablo Neira Ayuso]

On Mon, Mar 25, 2024 at 05:31:19PM +0800, Jason Xing wrote:
> On Mon, Mar 25, 2024 at 5:19 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > On Mon, Mar 25, 2024 at 11:19:42AM +0800, Jason Xing wrote:
> > > From: Jason Xing <kernelxing@tencent.com>
> > >
> > > Just simply replace the -NF_DROP with NF_DROP since it is just zero.
> >
> > Single patch for this should be fine, thanks.
> 
> Okay, I thought every patch should be atomic, so I splitted one into
> three. I will squash them :)

One patch for logical update, patch description is the same for them all.

> > There are spots where this happens, and it is not obvious, such as nf_conntrack_in()
> >
> >         if (protonum == IPPROTO_ICMP || protonum == IPPROTO_ICMPV6) {
> >                 ret = nf_conntrack_handle_icmp(tmpl, skb, dataoff,
> >                                                protonum, state);
> >                 if (ret <= 0) {
> >                         ret = -ret;
> 
> Yep, it's not that obvious.
> 
> >                         goto out;
> >                 }
> >
> > removing signed zero seems more in these cases look more complicated.
> 
> Yes, so I have no intention to touch them all. The motivation of this
> patch is that I traced back to the use of NF_DROP in history and found
> out something strange.

Yes, it looks like something was trying to be fixed not in the right way.

> I will send a v2 patch soon.

Thanks.