[PATCH] net : fix adding same ip rule multiple times

* [PATCH] net : fix adding same ip rule multiple times
@ 2023-03-01 13:50 ismail bouzaiene
  2023-03-01 17:42 ` Jakub Kicinski
  0 siblings, 1 reply; 3+ messages in thread
From: ismail bouzaiene @ 2023-03-01 13:50 UTC (permalink / raw)
  To: netdev, davem, edumazet, kuba, pabeni

[-- Attachment #1: Type: text/plain, Size: 1381 bytes --]

Hello,

In case we try to add the same ip rule multiple times, the kernel will
reject the addition using the call rule_exits().

However there are two use cases where it is still possible to add the
same ip rule multiple times despite the check rule_exists().

First use case :

add two ip rules with the same informations and only the prio / pref
attribute is different

Second use case :

add two ip rules with the same informations without setting the
attribute prio / pref
In this case, the kernel will attribute a pref to this ip rule using
the following mechanism :

Kernel will loop over all already applied ip rules, get the index of
the first ip rule with pref not null
add +1 and use this value to set the pref field in the ip rule to be applied.


The two use cases are possible because the call rule_exists() checks
the prio / pref among others parameters, and in both cases the prio /
pref attribute will be different from any of the already applied ip
rules.

I suggest fixing the mentioned two cases by removing the test on the
pref / prio attribute in the function rule_exits().

This patch implement the suggested solution : patch_solAllcases.patch

In case you think that the First use case is a valid use case and we
need only to handle the Second use case, I provide here also a second
patch that handle only the First use case :

patch_solOnlySecondCase.patch

[-- Attachment #2: patch_solAllcases.patch --]
[-- Type: text/x-patch, Size: 488 bytes --]

diff -uprN net-next-6.2-rc7/net/core/fib_rules.c net-next-6.2-rc7_patch-Sol1/net/core/fib_rules.c

--- net-next-6.2-rc7/net/core/fib_rules.c	2023-02-05 22:13:28.000000000 +0100
+++ net-next-6.2-rc7_patch-Sol1/net/core/fib_rules.c	2023-02-17 10:27:54.992948006 +0100
@@ -695,9 +695,6 @@ static int rule_exists(struct fib_rules_
 		if (r->table != rule->table)
 			continue;
 
-		if (r->pref != rule->pref)
-			continue;
-
 		if (memcmp(r->iifname, rule->iifname, IFNAMSIZ))
 			continue;
 

[-- Attachment #3: patch_solOnlySecondCase.patch --]
[-- Type: text/x-patch, Size: 1039 bytes --]

diff -uprN net-next-6.2-rc7/net/core/fib_rules.c net-next-6.2-rc7_patch-Sol2/net/core/fib_rules.c
--- net-next-6.2-rc7/net/core/fib_rules.c	2023-02-05 22:13:28.000000000 +0100
+++ net-next-6.2-rc7_patch-Sol2/net/core/fib_rules.c	2023-02-17 10:04:01.111242230 +0100
@@ -684,7 +684,7 @@ errout:
 }
 
 static int rule_exists(struct fib_rules_ops *ops, struct fib_rule_hdr *frh,
-		       struct nlattr **tb, struct fib_rule *rule)
+		       struct nlattr **tb, struct fib_rule *rule,bool user_priority)
 {
 	struct fib_rule *r;
 
@@ -695,7 +695,7 @@ static int rule_exists(struct fib_rules_
 		if (r->table != rule->table)
 			continue;
 
-		if (r->pref != rule->pref)
+		if (user_priority && r->pref != rule->pref)
 			continue;
 
 		if (memcmp(r->iifname, rule->iifname, IFNAMSIZ))
@@ -806,7 +806,7 @@ int fib_nl_newrule(struct sk_buff *skb,
 		goto errout;
 
 	if ((nlh->nlmsg_flags & NLM_F_EXCL) &&
-	    rule_exists(ops, frh, tb, rule)) {
+	    rule_exists(ops, frh, tb, rule,user_priority)) {
 		err = -EEXIST;
 		goto errout_free;
 	}

^ permalink raw reply	[flat|nested] 3+ messages in thread