* [nft PATCH 0/3] Fixes for monitor/echo mode with maps
@ 2020-01-10 11:11 Phil Sutter
2020-01-10 11:11 ` [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets Phil Sutter
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Phil Sutter @ 2020-01-10 11:11 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Patch 1 fixes a segfault when trying to add a rule referring to a map
and adds a relevant test case. Patch 2 fixes for wrong format of map
values, this is already covered by existing tests. Patch 3 merely
improves versatility of tests/monitor/run-tests.sh a bit.
Phil Sutter (3):
monitor: Do not decompose non-anonymous sets
monitor: Fix for use after free when printing map elements
tests: monitor: Support running individual test cases
src/monitor.c | 5 +++--
tests/monitor/run-tests.sh | 9 +++++++--
tests/monitor/testcases/set-interval.t | 20 ++++++++++++++++++++
3 files changed, 30 insertions(+), 4 deletions(-)
create mode 100644 tests/monitor/testcases/set-interval.t
--
2.24.1
^ permalink raw reply [flat|nested] 7+ messages in thread* [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets 2020-01-10 11:11 [nft PATCH 0/3] Fixes for monitor/echo mode with maps Phil Sutter @ 2020-01-10 11:11 ` Phil Sutter 2020-01-10 11:20 ` Pablo Neira Ayuso 2020-01-10 11:11 ` [nft PATCH 2/3] monitor: Fix for use after free when printing map elements Phil Sutter 2020-01-10 11:11 ` [nft PATCH 3/3] tests: monitor: Support running individual test cases Phil Sutter 2 siblings, 1 reply; 7+ messages in thread From: Phil Sutter @ 2020-01-10 11:11 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel They have been decomposed already, trying to do that again causes a segfault. This is a similar fix as in commit 8ecb885589591 ("src: restore --echo with anonymous sets"). Signed-off-by: Phil Sutter <phil@nwl.cc> --- src/monitor.c | 2 +- tests/monitor/testcases/set-interval.t | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 tests/monitor/testcases/set-interval.t diff --git a/src/monitor.c b/src/monitor.c index d586cfa34a979..84505eb914bf6 100644 --- a/src/monitor.c +++ b/src/monitor.c @@ -500,7 +500,7 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type, static void rule_map_decompose_cb(struct set *s, void *data) { - if (s->flags & NFT_SET_INTERVAL) + if (s->flags & (NFT_SET_INTERVAL & NFT_SET_ANONYMOUS)) interval_map_decompose(s->init); } diff --git a/tests/monitor/testcases/set-interval.t b/tests/monitor/testcases/set-interval.t new file mode 100644 index 0000000000000..59930c58243d8 --- /dev/null +++ b/tests/monitor/testcases/set-interval.t @@ -0,0 +1,20 @@ +# setup first +I add table ip t +I add chain ip t c +O - +J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}} +J {"add": {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}} + +# add set with elements, monitor output expectedly differs +I add set ip t s { type inet_service; flags interval; elements = { 20, 30-40 }; } +O add set ip t s { type inet_service; flags interval; } +O add element ip t s { 20 } +O add element ip t s { 30-40 } +J {"add": {"set": {"family": "ip", "name": "s", "table": "t", "type": "inet_service", "handle": 0, "flags": ["interval"]}}} +J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [20]}}}} +J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [{"range": [30, 40]}]}}}} + +# this would crash nft +I add rule ip t c tcp dport @s +O - +J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@s"}}]}}} -- 2.24.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets 2020-01-10 11:11 ` [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets Phil Sutter @ 2020-01-10 11:20 ` Pablo Neira Ayuso 0 siblings, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2020-01-10 11:20 UTC (permalink / raw) To: Phil Sutter; +Cc: netfilter-devel On Fri, Jan 10, 2020 at 12:11:12PM +0100, Phil Sutter wrote: > They have been decomposed already, trying to do that again causes a > segfault. This is a similar fix as in commit 8ecb885589591 ("src: > restore --echo with anonymous sets"). > > Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> ^ permalink raw reply [flat|nested] 7+ messages in thread
* [nft PATCH 2/3] monitor: Fix for use after free when printing map elements 2020-01-10 11:11 [nft PATCH 0/3] Fixes for monitor/echo mode with maps Phil Sutter 2020-01-10 11:11 ` [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets Phil Sutter @ 2020-01-10 11:11 ` Phil Sutter 2020-01-10 11:21 ` Pablo Neira Ayuso 2020-01-10 11:11 ` [nft PATCH 3/3] tests: monitor: Support running individual test cases Phil Sutter 2 siblings, 1 reply; 7+ messages in thread From: Phil Sutter @ 2020-01-10 11:11 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel When populating the dummy set, 'data' field must be cloned just like 'key' field. Fixes: 343a51702656a ("src: store expr, not dtype to track data in sets") Signed-off-by: Phil Sutter <phil@nwl.cc> --- src/monitor.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/monitor.c b/src/monitor.c index 84505eb914bf6..53a8bcd4641d1 100644 --- a/src/monitor.c +++ b/src/monitor.c @@ -401,7 +401,8 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type, */ dummyset = set_alloc(monh->loc); dummyset->key = expr_clone(set->key); - dummyset->data = set->data; + if (set->data) + dummyset->data = expr_clone(set->data); dummyset->flags = set->flags; dummyset->init = set_expr_alloc(monh->loc, set); -- 2.24.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [nft PATCH 2/3] monitor: Fix for use after free when printing map elements 2020-01-10 11:11 ` [nft PATCH 2/3] monitor: Fix for use after free when printing map elements Phil Sutter @ 2020-01-10 11:21 ` Pablo Neira Ayuso 0 siblings, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2020-01-10 11:21 UTC (permalink / raw) To: Phil Sutter; +Cc: netfilter-devel On Fri, Jan 10, 2020 at 12:11:13PM +0100, Phil Sutter wrote: > When populating the dummy set, 'data' field must be cloned just like > 'key' field. > > Fixes: 343a51702656a ("src: store expr, not dtype to track data in sets") > Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> ^ permalink raw reply [flat|nested] 7+ messages in thread
* [nft PATCH 3/3] tests: monitor: Support running individual test cases 2020-01-10 11:11 [nft PATCH 0/3] Fixes for monitor/echo mode with maps Phil Sutter 2020-01-10 11:11 ` [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets Phil Sutter 2020-01-10 11:11 ` [nft PATCH 2/3] monitor: Fix for use after free when printing map elements Phil Sutter @ 2020-01-10 11:11 ` Phil Sutter 2020-01-10 11:21 ` Pablo Neira Ayuso 2 siblings, 1 reply; 7+ messages in thread From: Phil Sutter @ 2020-01-10 11:11 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel Recognize testcase paths on command line and limit testing on those only. Signed-off-by: Phil Sutter <phil@nwl.cc> --- tests/monitor/run-tests.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh index 0478cf60c0dfe..efacdaaab952b 100755 --- a/tests/monitor/run-tests.sh +++ b/tests/monitor/run-tests.sh @@ -108,6 +108,7 @@ echo_run_test() { touch $output_file } +testcases="" while [ -n "$1" ]; do case "$1" in -d|--debug) @@ -118,11 +119,15 @@ while [ -n "$1" ]; do test_json=true shift ;; + testcases/*.t) + testcases+=" $1" + shift + ;; *) echo "unknown option '$1'" ;& -h|--help) - echo "Usage: $(basename $0) [-j|--json] [-d|--debug]" + echo "Usage: $(basename $0) [-j|--json] [-d|--debug] [testcase ...]" exit 1 ;; esac @@ -138,7 +143,7 @@ for variant in $variants; do run_test=${variant}_run_test output_append=${variant}_output_append - for testcase in testcases/*.t; do + for testcase in ${testcases:-testcases/*.t}; do echo "$variant: running tests from file $(basename $testcase)" # files are like this: # -- 2.24.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [nft PATCH 3/3] tests: monitor: Support running individual test cases 2020-01-10 11:11 ` [nft PATCH 3/3] tests: monitor: Support running individual test cases Phil Sutter @ 2020-01-10 11:21 ` Pablo Neira Ayuso 0 siblings, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2020-01-10 11:21 UTC (permalink / raw) To: Phil Sutter; +Cc: netfilter-devel On Fri, Jan 10, 2020 at 12:11:14PM +0100, Phil Sutter wrote: > Recognize testcase paths on command line and limit testing on those > only. > > Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-01-10 11:21 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-01-10 11:11 [nft PATCH 0/3] Fixes for monitor/echo mode with maps Phil Sutter 2020-01-10 11:11 ` [nft PATCH 1/3] monitor: Do not decompose non-anonymous sets Phil Sutter 2020-01-10 11:20 ` Pablo Neira Ayuso 2020-01-10 11:11 ` [nft PATCH 2/3] monitor: Fix for use after free when printing map elements Phil Sutter 2020-01-10 11:21 ` Pablo Neira Ayuso 2020-01-10 11:11 ` [nft PATCH 3/3] tests: monitor: Support running individual test cases Phil Sutter 2020-01-10 11:21 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).