* [iptables PATCH v2 1/2] nfnl_osf: Fix broken conversion to nfnl_query()
2020-05-15 14:03 [iptables PATCH v2 0/2] Critical: Unbreak nfnl_osf tool Phil Sutter
@ 2020-05-15 14:03 ` Phil Sutter
2020-05-15 14:03 ` [iptables PATCH v2 2/2] nfnl_osf: Improve error handling Phil Sutter
2020-05-18 14:57 ` [iptables PATCH v2 0/2] Critical: Unbreak nfnl_osf tool Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Phil Sutter @ 2020-05-15 14:03 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Due to missing NLM_F_ACK flag in request, nfnetlink code in kernel
didn't create an own ACK message but left it upon subsystem to ACK or
not. Since nfnetlink_osf doesn't ACK by itself, nfnl_query() got stuck
waiting for a reply.
Whoever did the conversion from deprecated nfnl_talk() obviously didn't
even test basic functionality of the tool.
Fixes: 52aa15098ebd6 ("nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
utils/nfnl_osf.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
index 15d531975e11d..922d90ac135b7 100644
--- a/utils/nfnl_osf.c
+++ b/utils/nfnl_osf.c
@@ -378,9 +378,11 @@ static int osf_load_line(char *buffer, int len, int del)
memset(buf, 0, sizeof(buf));
if (del)
- nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_REMOVE, NLM_F_REQUEST);
+ nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_REMOVE,
+ NLM_F_ACK | NLM_F_REQUEST);
else
- nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_ADD, NLM_F_REQUEST | NLM_F_CREATE);
+ nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_ADD,
+ NLM_F_ACK | NLM_F_REQUEST | NLM_F_CREATE);
nfnl_addattr_l(nmh, sizeof(buf), OSF_ATTR_FINGER, &f, sizeof(struct xt_osf_user_finger));
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [iptables PATCH v2 2/2] nfnl_osf: Improve error handling
2020-05-15 14:03 [iptables PATCH v2 0/2] Critical: Unbreak nfnl_osf tool Phil Sutter
2020-05-15 14:03 ` [iptables PATCH v2 1/2] nfnl_osf: Fix broken conversion to nfnl_query() Phil Sutter
@ 2020-05-15 14:03 ` Phil Sutter
2020-05-18 15:38 ` Phil Sutter
2020-05-18 14:57 ` [iptables PATCH v2 0/2] Critical: Unbreak nfnl_osf tool Pablo Neira Ayuso
2 siblings, 1 reply; 5+ messages in thread
From: Phil Sutter @ 2020-05-15 14:03 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
For some error cases, no log message was created - hence apart from the
return code there was no indication of failing execution.
If a line load fails, don't abort but continue with the remaining
file contents. The current pf.os file in this repository serves as
proof-of-concept:
Lines 700 and 701: Duplicates of lines 698 and 699 because 'W*' and 'W0'
parse into the same data.
Line 704: Duplicate of line 702 because apart from 'W*' and 'W0', only
the first three fields on right-hand side are sent to the kernel.
When loading, these dups are ignored (they would bounce if NLM_F_EXCL
was given). Upon deletion, they cause ENOENT response from kernel.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
Changes since v1:
- Don't use ulog_err() when complaining about missing fingerprints
argument, the use of strerror() with zero errno is misleading.
- Don't print error on osf_load_line() failure when deleting and errno
is ENOENT. Upon add, NLM_F_EXCL is not set so EEXIST is basically
ignored, be equally error-tolerant upon deletion.
---
utils/nfnl_osf.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
index 922d90ac135b7..4183d66c22d16 100644
--- a/utils/nfnl_osf.c
+++ b/utils/nfnl_osf.c
@@ -392,7 +392,7 @@ static int osf_load_line(char *buffer, int len, int del)
static int osf_load_entries(char *path, int del)
{
FILE *inf;
- int err = 0;
+ int err = 0, lineno = 0;
char buf[1024];
inf = fopen(path, "r");
@@ -402,7 +402,9 @@ static int osf_load_entries(char *path, int del)
}
while(fgets(buf, sizeof(buf), inf)) {
- int len;
+ int len, rc;
+
+ lineno++;
if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r')
continue;
@@ -414,9 +416,11 @@ static int osf_load_entries(char *path, int del)
buf[len] = '\0';
- err = osf_load_line(buf, len, del);
- if (err)
- break;
+ rc = osf_load_line(buf, len, del);
+ if (rc && (!del || errno == ENOENT)) {
+ ulog_err("Failed to load line %d", lineno);
+ err = rc;
+ }
memset(buf, 0, sizeof(buf));
}
@@ -448,6 +452,7 @@ int main(int argc, char *argv[])
if (!fingerprints) {
err = -ENOENT;
+ ulog("Missing fingerprints file argument.\n");
goto err_out_exit;
}
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [iptables PATCH v2 2/2] nfnl_osf: Improve error handling
2020-05-15 14:03 ` [iptables PATCH v2 2/2] nfnl_osf: Improve error handling Phil Sutter
@ 2020-05-18 15:38 ` Phil Sutter
0 siblings, 0 replies; 5+ messages in thread
From: Phil Sutter @ 2020-05-18 15:38 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Two minor nits during final review:
On Fri, May 15, 2020 at 04:03:30PM +0200, Phil Sutter wrote:
[...]
> ---
> Changes since v1:
> - Don't use ulog_err() when complaining about missing fingerprints
> argument, the use of strerror() with zero errno is misleading.
> - Don't print error on osf_load_line() failure when deleting and errno
> is ENOENT. Upon add, NLM_F_EXCL is not set so EEXIST is basically
> ignored, be equally error-tolerant upon deletion.
This change didn't make it into the commit message, although it's worth
mentioning.
[...]
> @@ -414,9 +416,11 @@ static int osf_load_entries(char *path, int del)
>
> buf[len] = '\0';
>
> - err = osf_load_line(buf, len, del);
> - if (err)
> - break;
> + rc = osf_load_line(buf, len, del);
> + if (rc && (!del || errno == ENOENT)) {
Stupid typo here, it should read 'errno != ENOENT'.
I'll fix both before pushing upstream.
Cheers, Phil
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [iptables PATCH v2 0/2] Critical: Unbreak nfnl_osf tool
2020-05-15 14:03 [iptables PATCH v2 0/2] Critical: Unbreak nfnl_osf tool Phil Sutter
2020-05-15 14:03 ` [iptables PATCH v2 1/2] nfnl_osf: Fix broken conversion to nfnl_query() Phil Sutter
2020-05-15 14:03 ` [iptables PATCH v2 2/2] nfnl_osf: Improve error handling Phil Sutter
@ 2020-05-18 14:57 ` Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-18 14:57 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel
On Fri, May 15, 2020 at 04:03:28PM +0200, Phil Sutter wrote:
> No changes in patch 1, it is still the right fix for the problem and
> restores original behaviour.
>
> Patch 2 changed according to feedback:
>
> - Elaborate on why there are duplicates in pf.os in the first place.
>
> - Ignore ENOENT when deleting. Since the code ignores EEXIST when
> creating, reporting this was asymmetrical behaviour.
>
> - Fix for ugly error message when user didn't specify '-f' option.
This looks good.
Thanks for addressing my feedback.
^ permalink raw reply [flat|nested] 5+ messages in thread