Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [nft PATCH 0/3] Fixes for monitor/echo mode with maps
@ 2020-01-10 11:11 Phil Sutter
  2020-01-10 11:11 ` [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets Phil Sutter
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Phil Sutter @ 2020-01-10 11:11 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Patch 1 fixes a segfault when trying to add a rule referring to a map
and adds a relevant test case. Patch 2 fixes for wrong format of map
values, this is already covered by existing tests. Patch 3 merely
improves versatility of tests/monitor/run-tests.sh a bit.

Phil Sutter (3):
  monitor: Do not decompose non-anonymous sets
  monitor: Fix for use after free when printing map elements
  tests: monitor: Support running individual test cases

 src/monitor.c                          |  5 +++--
 tests/monitor/run-tests.sh             |  9 +++++++--
 tests/monitor/testcases/set-interval.t | 20 ++++++++++++++++++++
 3 files changed, 30 insertions(+), 4 deletions(-)
 create mode 100644 tests/monitor/testcases/set-interval.t

-- 
2.24.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets
  2020-01-10 11:11 [nft PATCH 0/3] Fixes for monitor/echo mode with maps Phil Sutter
@ 2020-01-10 11:11 ` Phil Sutter
  2020-01-10 11:20   ` Pablo Neira Ayuso
  2020-01-10 11:11 ` [nft PATCH 2/3] monitor: Fix for use after free when printing map elements Phil Sutter
  2020-01-10 11:11 ` [nft PATCH 3/3] tests: monitor: Support running individual test cases Phil Sutter
  2 siblings, 1 reply; 7+ messages in thread
From: Phil Sutter @ 2020-01-10 11:11 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

They have been decomposed already, trying to do that again causes a
segfault. This is a similar fix as in commit 8ecb885589591 ("src:
restore --echo with anonymous sets").

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/monitor.c                          |  2 +-
 tests/monitor/testcases/set-interval.t | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 tests/monitor/testcases/set-interval.t

diff --git a/src/monitor.c b/src/monitor.c
index d586cfa34a979..84505eb914bf6 100644
--- a/src/monitor.c
+++ b/src/monitor.c
@@ -500,7 +500,7 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type,
 
 static void rule_map_decompose_cb(struct set *s, void *data)
 {
-	if (s->flags & NFT_SET_INTERVAL)
+	if (s->flags & (NFT_SET_INTERVAL & NFT_SET_ANONYMOUS))
 		interval_map_decompose(s->init);
 }
 
diff --git a/tests/monitor/testcases/set-interval.t b/tests/monitor/testcases/set-interval.t
new file mode 100644
index 0000000000000..59930c58243d8
--- /dev/null
+++ b/tests/monitor/testcases/set-interval.t
@@ -0,0 +1,20 @@
+# setup first
+I add table ip t
+I add chain ip t c
+O -
+J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}}
+J {"add": {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}}
+
+# add set with elements, monitor output expectedly differs
+I add set ip t s { type inet_service; flags interval; elements = { 20, 30-40 }; }
+O add set ip t s { type inet_service; flags interval; }
+O add element ip t s { 20 }
+O add element ip t s { 30-40 }
+J {"add": {"set": {"family": "ip", "name": "s", "table": "t", "type": "inet_service", "handle": 0, "flags": ["interval"]}}}
+J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [20]}}}}
+J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [{"range": [30, 40]}]}}}}
+
+# this would crash nft
+I add rule ip t c tcp dport @s
+O -
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@s"}}]}}}
-- 
2.24.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [nft PATCH 2/3] monitor: Fix for use after free when printing map elements
  2020-01-10 11:11 [nft PATCH 0/3] Fixes for monitor/echo mode with maps Phil Sutter
  2020-01-10 11:11 ` [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets Phil Sutter
@ 2020-01-10 11:11 ` Phil Sutter
  2020-01-10 11:21   ` Pablo Neira Ayuso
  2020-01-10 11:11 ` [nft PATCH 3/3] tests: monitor: Support running individual test cases Phil Sutter
  2 siblings, 1 reply; 7+ messages in thread
From: Phil Sutter @ 2020-01-10 11:11 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

When populating the dummy set, 'data' field must be cloned just like
'key' field.

Fixes: 343a51702656a ("src: store expr, not dtype to track data in sets")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/monitor.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/monitor.c b/src/monitor.c
index 84505eb914bf6..53a8bcd4641d1 100644
--- a/src/monitor.c
+++ b/src/monitor.c
@@ -401,7 +401,8 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type,
 	 */
 	dummyset = set_alloc(monh->loc);
 	dummyset->key = expr_clone(set->key);
-	dummyset->data = set->data;
+	if (set->data)
+		dummyset->data = expr_clone(set->data);
 	dummyset->flags = set->flags;
 	dummyset->init = set_expr_alloc(monh->loc, set);
 
-- 
2.24.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [nft PATCH 3/3] tests: monitor: Support running individual test cases
  2020-01-10 11:11 [nft PATCH 0/3] Fixes for monitor/echo mode with maps Phil Sutter
  2020-01-10 11:11 ` [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets Phil Sutter
  2020-01-10 11:11 ` [nft PATCH 2/3] monitor: Fix for use after free when printing map elements Phil Sutter
@ 2020-01-10 11:11 ` Phil Sutter
  2020-01-10 11:21   ` Pablo Neira Ayuso
  2 siblings, 1 reply; 7+ messages in thread
From: Phil Sutter @ 2020-01-10 11:11 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Recognize testcase paths on command line and limit testing on those
only.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 tests/monitor/run-tests.sh | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh
index 0478cf60c0dfe..efacdaaab952b 100755
--- a/tests/monitor/run-tests.sh
+++ b/tests/monitor/run-tests.sh
@@ -108,6 +108,7 @@ echo_run_test() {
 	touch $output_file
 }
 
+testcases=""
 while [ -n "$1" ]; do
 	case "$1" in
 	-d|--debug)
@@ -118,11 +119,15 @@ while [ -n "$1" ]; do
 		test_json=true
 		shift
 		;;
+	testcases/*.t)
+		testcases+=" $1"
+		shift
+		;;
 	*)
 		echo "unknown option '$1'"
 		;&
 	-h|--help)
-		echo "Usage: $(basename $0) [-j|--json] [-d|--debug]"
+		echo "Usage: $(basename $0) [-j|--json] [-d|--debug] [testcase ...]"
 		exit 1
 		;;
 	esac
@@ -138,7 +143,7 @@ for variant in $variants; do
 	run_test=${variant}_run_test
 	output_append=${variant}_output_append
 
-	for testcase in testcases/*.t; do
+	for testcase in ${testcases:-testcases/*.t}; do
 		echo "$variant: running tests from file $(basename $testcase)"
 		# files are like this:
 		#
-- 
2.24.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets
  2020-01-10 11:11 ` [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets Phil Sutter
@ 2020-01-10 11:20   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-01-10 11:20 UTC (permalink / raw)
  To: Phil Sutter; +Cc: netfilter-devel

On Fri, Jan 10, 2020 at 12:11:12PM +0100, Phil Sutter wrote:
> They have been decomposed already, trying to do that again causes a
> segfault. This is a similar fix as in commit 8ecb885589591 ("src:
> restore --echo with anonymous sets").
> 
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [nft PATCH 2/3] monitor: Fix for use after free when printing map elements
  2020-01-10 11:11 ` [nft PATCH 2/3] monitor: Fix for use after free when printing map elements Phil Sutter
@ 2020-01-10 11:21   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-01-10 11:21 UTC (permalink / raw)
  To: Phil Sutter; +Cc: netfilter-devel

On Fri, Jan 10, 2020 at 12:11:13PM +0100, Phil Sutter wrote:
> When populating the dummy set, 'data' field must be cloned just like
> 'key' field.
> 
> Fixes: 343a51702656a ("src: store expr, not dtype to track data in sets")
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [nft PATCH 3/3] tests: monitor: Support running individual test cases
  2020-01-10 11:11 ` [nft PATCH 3/3] tests: monitor: Support running individual test cases Phil Sutter
@ 2020-01-10 11:21   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-01-10 11:21 UTC (permalink / raw)
  To: Phil Sutter; +Cc: netfilter-devel

On Fri, Jan 10, 2020 at 12:11:14PM +0100, Phil Sutter wrote:
> Recognize testcase paths on command line and limit testing on those
> only.
> 
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-10 11:11 [nft PATCH 0/3] Fixes for monitor/echo mode with maps Phil Sutter
2020-01-10 11:11 ` [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets Phil Sutter
2020-01-10 11:20   ` Pablo Neira Ayuso
2020-01-10 11:11 ` [nft PATCH 2/3] monitor: Fix for use after free when printing map elements Phil Sutter
2020-01-10 11:21   ` Pablo Neira Ayuso
2020-01-10 11:11 ` [nft PATCH 3/3] tests: monitor: Support running individual test cases Phil Sutter
2020-01-10 11:21   ` Pablo Neira Ayuso

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git