From: Topi Miettinen <toiwoton@gmail.com>
To: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: nft_socket: only do sk lookup when indev is available
Date: Wed, 27 Apr 2022 21:10:27 +0300 [thread overview]
Message-ID: <2810eacb-5940-0c96-2996-74742365da5e@gmail.com> (raw)
In-Reply-To: <20220427160218.9997-1-fw@strlen.de>
On 27.4.2022 19.02, Florian Westphal wrote:
> nft_socket lacks .validate hooks to restrict its use to the prerouting
> and input chains.
>
> Adding such restriction now may break existing setups, also, if skb
> has a socket attached to it, nft_socket will work fine.
>
> Therefore, check if the incoming interface is available and NFT_BREAK
> in case neither skb->sk nor input device are set.
>
> Reported-by: Topi Miettinen <toiwoton@gmail.com>
> Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching")
> Signed-off-by: Florian Westphal <fw@strlen.de>
Thanks. After applying this patch, my test case which triggered a BUG in
a few tries, doesn't do it anymore with 25 attempts.
Tested-by: Topi Miettinen <toiwoton@gmail.com>
> ---
> net/netfilter/nft_socket.c | 41 +++++++++++++++++++++++++-------------
> 1 file changed, 27 insertions(+), 14 deletions(-)
>
> diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
> index 6d9e8e0a3a7d..cbd1e4523ace 100644
> --- a/net/netfilter/nft_socket.c
> +++ b/net/netfilter/nft_socket.c
> @@ -54,6 +54,32 @@ nft_sock_get_eval_cgroupv2(u32 *dest, struct sock *sk, const struct nft_pktinfo
> }
> #endif
>
> +static struct sock *nft_socket_do_lookup(const struct nft_pktinfo *pkt)
> +{
> + const struct net_device *indev = nft_in(pkt);
> + const struct sk_buff *skb = pkt->skb;
> + struct sock *sk = NULL;
> +
> + if (!indev)
> + return NULL;
> +
> + switch(nft_pf(pkt)) {
> + case NFPROTO_IPV4:
> + sk = nf_sk_lookup_slow_v4(nft_net(pkt), skb, indev);
> + break;
> +#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
> + case NFPROTO_IPV6:
> + sk = nf_sk_lookup_slow_v6(nft_net(pkt), skb, indev);
> + break;
> +#endif
> + default:
> + WARN_ON_ONCE(1);
> + break;
> + }
> +
> + return sk;
> +}
> +
> static void nft_socket_eval(const struct nft_expr *expr,
> struct nft_regs *regs,
> const struct nft_pktinfo *pkt)
> @@ -67,20 +93,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
> sk = NULL;
>
> if (!sk)
> - switch(nft_pf(pkt)) {
> - case NFPROTO_IPV4:
> - sk = nf_sk_lookup_slow_v4(nft_net(pkt), skb, nft_in(pkt));
> - break;
> -#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
> - case NFPROTO_IPV6:
> - sk = nf_sk_lookup_slow_v6(nft_net(pkt), skb, nft_in(pkt));
> - break;
> -#endif
> - default:
> - WARN_ON_ONCE(1);
> - regs->verdict.code = NFT_BREAK;
> - return;
> - }
> + sk = nft_socket_do_lookup(pkt);
>
> if (!sk) {
> regs->verdict.code = NFT_BREAK;
prev parent reply other threads:[~2022-04-27 18:10 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-27 16:02 [PATCH nf] netfilter: nft_socket: only do sk lookup when indev is available Florian Westphal
2022-04-27 18:10 ` Topi Miettinen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2810eacb-5940-0c96-2996-74742365da5e@gmail.com \
--to=toiwoton@gmail.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.