Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* Documentation question
@ 2019-10-30  9:07 Duncan Roe
  2019-10-30  9:15 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 7+ messages in thread
From: Duncan Roe @ 2019-10-30  9:07 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Netfilter Development

Hi Pablo,

When setting verdicts, does sending amended packet contents imply to accept the
packet? In my app I have assumed not and that seems to work fine, but I'd like
to be sure for the doco.

Cheers ... Duncan.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Documentation question
  2019-10-30  9:07 Documentation question Duncan Roe
@ 2019-10-30  9:15 ` Pablo Neira Ayuso
  2019-10-30  9:38   ` Duncan Roe
  0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2019-10-30  9:15 UTC (permalink / raw)
  To: Netfilter Development

On Wed, Oct 30, 2019 at 08:07:07PM +1100, Duncan Roe wrote:
> Hi Pablo,
> 
> When setting verdicts, does sending amended packet contents imply to accept the
> packet? In my app I have assumed not and that seems to work fine, but I'd like
> to be sure for the doco.

If you set the verdict to NF_ACCEPT and the packet that you send back
to the kernel is mangled, then the kernel takes your mangled packet
contents.

Thanks.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Documentation question
  2019-10-30  9:15 ` Pablo Neira Ayuso
@ 2019-10-30  9:38   ` Duncan Roe
  2019-10-30  9:47     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 7+ messages in thread
From: Duncan Roe @ 2019-10-30  9:38 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Netfilter Development

On Wed, Oct 30, 2019 at 10:15:21AM +0100, Pablo Neira Ayuso wrote:
> On Wed, Oct 30, 2019 at 08:07:07PM +1100, Duncan Roe wrote:
> > Hi Pablo,
> >
> > When setting verdicts, does sending amended packet contents imply to accept the
> > packet? In my app I have assumed not and that seems to work fine, but I'd like
> > to be sure for the doco.
>
> If you set the verdict to NF_ACCEPT and the packet that you send back
> to the kernel is mangled, then the kernel takes your mangled packet
> contents.
>
> Thanks.

Thanks Pablo I knew that, but what happens if you send back mangled contents
and no NF_ACCEPT or NF_DROP?

Does the kernel keep waiting until you send one of these?

Cheers ... Duncan.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Documentation question
  2019-10-30  9:38   ` Duncan Roe
@ 2019-10-30  9:47     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2019-10-30  9:47 UTC (permalink / raw)
  To: Netfilter Development

On Wed, Oct 30, 2019 at 08:38:02PM +1100, Duncan Roe wrote:
> On Wed, Oct 30, 2019 at 10:15:21AM +0100, Pablo Neira Ayuso wrote:
> > On Wed, Oct 30, 2019 at 08:07:07PM +1100, Duncan Roe wrote:
> > > Hi Pablo,
> > >
> > > When setting verdicts, does sending amended packet contents imply to accept the
> > > packet? In my app I have assumed not and that seems to work fine, but I'd like
> > > to be sure for the doco.
> >
> > If you set the verdict to NF_ACCEPT and the packet that you send back
> > to the kernel is mangled, then the kernel takes your mangled packet
> > contents.
> >
> > Thanks.
> 
> Thanks Pablo I knew that, but what happens if you send back mangled contents
> and no NF_ACCEPT or NF_DROP?
> 
> Does the kernel keep waiting until you send one of these?

If you don't specify the verdict attribute, then kernel says -EINVAL.
For reference, the function to handle the netlink message that comes
from userspace is nfqnl_recv_verdict() [1].

The nfqueue netlink protocol forces the user to send the verdict along
with the packet contents (only relevent if the contents have been
updated, if packet is left untouched, you can skip sending the packets
contents so the kernel assumes packet is not altered).

Setting verbosity mode on here, many of this information you might
already know, but I prefer this for clarity.

Thanks.

[1]
https://elixir.bootlin.com/linux/latest/source/net/netfilter/nfnetlink_queue.c#L1167

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Documentation question
  2019-11-20 23:26 ` Florian Westphal
@ 2019-11-21  5:33   ` Duncan Roe
  0 siblings, 0 replies; 7+ messages in thread
From: Duncan Roe @ 2019-11-21  5:33 UTC (permalink / raw)
  To: Florian Westphal; +Cc: Pablo Neira Ayuso, Netfilter Development

On Thu, Nov 21, 2019 at 12:26:17AM +0100, Florian Westphal wrote:
> Duncan Roe <duncan_roe@optusnet.com.au> wrote:
> > Deprecated nfq_set_queue_flags documents flag NFQA_CFG_F_FAIL_OPEN for kernel to
> > accept packets if the kernel queue gets full.
> >
> > Does this still work with libmnl?
>
> Yes.
> > I'm thinking we need a new "Library Setup
> > [CURRENT]" section to document available flags (including e.g. NFQA_CFG_F_GSO
> > that examples/nf-queue.c uses).
>
> Makes sense, thanks.
>
> > Maybe we need Attribute helper functions as well? (documentation *and* new
> > code).
>
> If you think it makes it easier, sure, why not.
> But it would be something like this:
>
> void nfq_nlmsg_cfg_put_flags(struct nlmsghdr *nlh, uint32_t flags)
> {
>         mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(flags));
>         mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(flags));
> }
>
> I'm not sure that warrants a library helper.

Many of the existing helper functions are 2-liners, some even 1 line. These
little functions often have more lines of doxygen documentation than of code.

So I think the extra helpers would fit in fine.

Cheers ... Duncan.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Documentation question
  2019-11-20 23:09 Duncan Roe
@ 2019-11-20 23:26 ` Florian Westphal
  2019-11-21  5:33   ` Duncan Roe
  0 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2019-11-20 23:26 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Netfilter Development

Duncan Roe <duncan_roe@optusnet.com.au> wrote:
> Deprecated nfq_set_queue_flags documents flag NFQA_CFG_F_FAIL_OPEN for kernel to
> accept packets if the kernel queue gets full.
> 
> Does this still work with libmnl?

Yes.
> I'm thinking we need a new "Library Setup
> [CURRENT]" section to document available flags (including e.g. NFQA_CFG_F_GSO
> that examples/nf-queue.c uses).

Makes sense, thanks.

> Maybe we need Attribute helper functions as well? (documentation *and* new
> code).

If you think it makes it easier, sure, why not.
But it would be something like this:

void nfq_nlmsg_cfg_put_flags(struct nlmsghdr *nlh, uint32_t flags)
{
        mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(flags));
        mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(flags));
}

I'm not sure that warrants a library helper.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Documentation question
@ 2019-11-20 23:09 Duncan Roe
  2019-11-20 23:26 ` Florian Westphal
  0 siblings, 1 reply; 7+ messages in thread
From: Duncan Roe @ 2019-11-20 23:09 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Netfilter Development

Hi Pablo,

Deprecated nfq_set_queue_flags documents flag NFQA_CFG_F_FAIL_OPEN for kernel to
accept packets if the kernel queue gets full.

Does this still work with libmnl?I'm thinking we need a new "Library Setup
[CURRENT]" section to document available flags (including e.g. NFQA_CFG_F_GSO
that examples/nf-queue.c uses).

Maybe we need Attribute helper functions as well? (documentation *and* new
code).

Cheers ... Duncan.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-30  9:07 Documentation question Duncan Roe
2019-10-30  9:15 ` Pablo Neira Ayuso
2019-10-30  9:38   ` Duncan Roe
2019-10-30  9:47     ` Pablo Neira Ayuso
2019-11-20 23:09 Duncan Roe
2019-11-20 23:26 ` Florian Westphal
2019-11-21  5:33   ` Duncan Roe

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git