From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [iptables PATCH 2/2] nfnl_osf: Improve error handling
Date: Tue, 12 May 2020 15:34:57 +0200 [thread overview]
Message-ID: <20200512133456.GJ17795@orbyte.nwl.cc> (raw)
In-Reply-To: <20200512124949.GA23943@salvia>
Hi Pablo,
On Tue, May 12, 2020 at 02:49:49PM +0200, Pablo Neira Ayuso wrote:
> On Mon, May 11, 2020 at 01:31:12PM +0200, Phil Sutter wrote:
> > Hi Pablo,
> >
> > On Sat, May 09, 2020 at 07:28:07PM +0200, Pablo Neira Ayuso wrote:
> > > On Sat, May 09, 2020 at 01:52:00PM +0200, Phil Sutter wrote:
> > > > For some error cases, no log message was created - hence apart from the
> > > > return code there was no indication of failing execution.
> > > >
> > > > When loading a line fails, don't abort but continue with the remaining
> > > > file contents. The current pf.os file in this repository serves as
> > > > proof-of-concept: Loading all entries succeeds, but when deleting, lines
> > > > 700, 701 and 704 return ENOENT. Not continuing means the remaining
> > > > entries are not cleared.
> > >
> > > Did you look at why are these lines returning ENOENT?
> >
> > If I understand the code right, line 700 is a duplicate of line 698, 701
> > of 699 and 704 of 702. This is because 'W*' parses identical to 'W0' and
> > in right-hand side only the first three text fields (genre, version and
> > subtype) are relevant - the rest is ignored.
>
> I see, in the userspace parser, W0 and W* are being handled as
> OSF_WSS_PLAIN.
>
> > When adding, this doesn't become visible because flag NLM_F_EXCL is not
> > specified. If it is, kernel returns EEXISTS for those lines.
>
> In the kernel, the struct nf_osf_user_finger is used as key to
> identify each line, given they are identical.
>
> So it looks like this EEXIST has been there since the beginning.
>
> This patchset LGTM, it's just that the user might get confused if it
> see errors when using this tool, probably turning this into a warning
> is fine.
Yes, at least it's unfortunate that the default fingerprint file
triggers them. We could drop the offending lines, but then again re-sync
with OpenBSD won't be trivial anymore.
From my PoV we may also just ignore the error conditions. Most important
bit here is to not stop on error, at least not when deleting.
> Or at least, include this information in the commit message so this
> does not get lost :-)
Yes, I'll extend the commit message. Thanks for the reminder.
Cheers, Phil
prev parent reply other threads:[~2020-05-12 13:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-09 11:51 [iptables PATCH 0/2] Critical: Unbreak nfnl_osf tool Phil Sutter
2020-05-09 11:51 ` [iptables PATCH 1/2] nfnl_osf: Fix broken conversion to nfnl_query() Phil Sutter
2020-05-09 11:52 ` [iptables PATCH 2/2] nfnl_osf: Improve error handling Phil Sutter
2020-05-09 17:28 ` Pablo Neira Ayuso
2020-05-11 11:31 ` Phil Sutter
2020-05-12 12:49 ` Pablo Neira Ayuso
2020-05-12 13:34 ` Phil Sutter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200512133456.GJ17795@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).