* [PATCH nf] netfilter: nftables: fix incorrect element timeout
@ 2020-12-08 17:37 Pablo Neira Ayuso
2020-12-08 17:42 ` Pablo Neira Ayuso
2020-12-09 4:30 ` kernel test robot
0 siblings, 2 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2020-12-08 17:37 UTC (permalink / raw)
To: netfilter-devel
Use nf_msecs_to_jiffies64 and nf_jiffies64_to_msecs as provided by
8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23
days"), otherwise ruleset listing breaks.
Fixes: a8b1e36d0d1d ("netfilter: nft_dynset: fix element timeout for HZ != 1000")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 4 ++++
net/netfilter/nf_tables_api.c | 4 ++--
net/netfilter/nft_dynset.c | 5 ++---
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 55b4cadf290a..c1c0a4ff92ae 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1524,4 +1524,8 @@ void __init nft_chain_route_init(void);
void nft_chain_route_fini(void);
void nf_tables_trans_destroy_flush_work(void);
+
+int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result);
+__be64 nf_jiffies64_to_msecs(u64 input);
+
#endif /* _NET_NF_TABLES_H */
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 23abf1578594..c2f59879a48d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3719,7 +3719,7 @@ static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
return 0;
}
-static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
+int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
{
u64 ms = be64_to_cpu(nla_get_be64(nla));
u64 max = (u64)(~((u64)0));
@@ -3733,7 +3733,7 @@ static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
return 0;
}
-static __be64 nf_jiffies64_to_msecs(u64 input)
+__be64 nf_jiffies64_to_msecs(u64 input)
{
return cpu_to_be64(jiffies64_to_msecs(input));
}
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 64ca13a1885b..ca6cfbb27051 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -157,8 +157,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
if (!(set->flags & NFT_SET_TIMEOUT))
return -EINVAL;
- timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
- tb[NFTA_DYNSET_TIMEOUT])));
+ timeout = nf_msecs_to_jiffies(be64_to_cpu(nla_get_be64(tb[NFTA_DYNSET_TIMEOUT])));
}
priv->sreg_key = nft_parse_register(tb[NFTA_DYNSET_SREG_KEY]);
@@ -267,7 +266,7 @@ static int nft_dynset_dump(struct sk_buff *skb, const struct nft_expr *expr)
if (nla_put_string(skb, NFTA_DYNSET_SET_NAME, priv->set->name))
goto nla_put_failure;
if (nla_put_be64(skb, NFTA_DYNSET_TIMEOUT,
- cpu_to_be64(jiffies_to_msecs(priv->timeout)),
+ cpu_to_be64(nf_jiffies_to_msecs(priv->timeout)),
NFTA_DYNSET_PAD))
goto nla_put_failure;
if (priv->expr && nft_expr_dump(skb, NFTA_DYNSET_EXPR, priv->expr))
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH nf] netfilter: nftables: fix incorrect element timeout
2020-12-08 17:37 [PATCH nf] netfilter: nftables: fix incorrect element timeout Pablo Neira Ayuso
@ 2020-12-08 17:42 ` Pablo Neira Ayuso
2020-12-09 4:30 ` kernel test robot
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2020-12-08 17:42 UTC (permalink / raw)
To: netfilter-devel
On Tue, Dec 08, 2020 at 06:37:16PM +0100, Pablo Neira Ayuso wrote:
> Use nf_msecs_to_jiffies64 and nf_jiffies64_to_msecs as provided by
> 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23
> days"), otherwise ruleset listing breaks.
Please, discard this patch. This has been replaced by:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20201208173810.14018-1-pablo@netfilter.org/
Sorry for the noise.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH nf] netfilter: nftables: fix incorrect element timeout
2020-12-08 17:37 [PATCH nf] netfilter: nftables: fix incorrect element timeout Pablo Neira Ayuso
2020-12-08 17:42 ` Pablo Neira Ayuso
@ 2020-12-09 4:30 ` kernel test robot
1 sibling, 0 replies; 3+ messages in thread
From: kernel test robot @ 2020-12-09 4:30 UTC (permalink / raw)
To: Pablo Neira Ayuso, netfilter-devel; +Cc: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 9780 bytes --]
Hi Pablo,
I love your patch! Yet something to improve:
[auto build test ERROR on nf/master]
url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-nftables-fix-incorrect-element-timeout/20201209-014124
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
config: m68k-allmodconfig (attached as .config)
compiler: m68k-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/4eebbc7da20071b9076b837dbc264c3eed1daea1
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Pablo-Neira-Ayuso/netfilter-nftables-fix-incorrect-element-timeout/20201209-014124
git checkout 4eebbc7da20071b9076b837dbc264c3eed1daea1
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=m68k
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
In file included from include/linux/kernel.h:11,
from net/netfilter/nft_dynset.c:6:
include/linux/scatterlist.h: In function 'sg_set_buf':
arch/m68k/include/asm/page_mm.h:169:49: warning: ordered comparison of pointer with null pointer [-Wextra]
169 | #define virt_addr_valid(kaddr) ((void *)(kaddr) >= (void *)PAGE_OFFSET && (void *)(kaddr) < high_memory)
| ^~
include/linux/compiler.h:78:42: note: in definition of macro 'unlikely'
78 | # define unlikely(x) __builtin_expect(!!(x), 0)
| ^
include/linux/scatterlist.h:143:2: note: in expansion of macro 'BUG_ON'
143 | BUG_ON(!virt_addr_valid(buf));
| ^~~~~~
include/linux/scatterlist.h:143:10: note: in expansion of macro 'virt_addr_valid'
143 | BUG_ON(!virt_addr_valid(buf));
| ^~~~~~~~~~~~~~~
net/netfilter/nft_dynset.c: In function 'nft_dynset_init':
>> net/netfilter/nft_dynset.c:160:13: error: implicit declaration of function 'nf_msecs_to_jiffies'; did you mean 'nf_msecs_to_jiffies64'? [-Werror=implicit-function-declaration]
160 | timeout = nf_msecs_to_jiffies(be64_to_cpu(nla_get_be64(tb[NFTA_DYNSET_TIMEOUT])));
| ^~~~~~~~~~~~~~~~~~~
| nf_msecs_to_jiffies64
In file included from include/linux/byteorder/big_endian.h:5,
from arch/m68k/include/uapi/asm/byteorder.h:5,
from include/asm-generic/bitops/le.h:6,
from arch/m68k/include/asm/bitops.h:528,
from include/linux/bitops.h:29,
from include/linux/kernel.h:12,
from net/netfilter/nft_dynset.c:6:
net/netfilter/nft_dynset.c: In function 'nft_dynset_dump':
>> net/netfilter/nft_dynset.c:269:17: error: implicit declaration of function 'nf_jiffies_to_msecs'; did you mean 'nf_jiffies64_to_msecs'? [-Werror=implicit-function-declaration]
269 | cpu_to_be64(nf_jiffies_to_msecs(priv->timeout)),
| ^~~~~~~~~~~~~~~~~~~
include/uapi/linux/byteorder/big_endian.h:37:51: note: in definition of macro '__cpu_to_be64'
37 | #define __cpu_to_be64(x) ((__force __be64)(__u64)(x))
| ^
net/netfilter/nft_dynset.c:269:5: note: in expansion of macro 'cpu_to_be64'
269 | cpu_to_be64(nf_jiffies_to_msecs(priv->timeout)),
| ^~~~~~~~~~~
cc1: some warnings being treated as errors
vim +160 net/netfilter/nft_dynset.c
104
105 static int nft_dynset_init(const struct nft_ctx *ctx,
106 const struct nft_expr *expr,
107 const struct nlattr * const tb[])
108 {
109 struct nft_dynset *priv = nft_expr_priv(expr);
110 u8 genmask = nft_genmask_next(ctx->net);
111 struct nft_set *set;
112 u64 timeout;
113 int err;
114
115 lockdep_assert_held(&ctx->net->nft.commit_mutex);
116
117 if (tb[NFTA_DYNSET_SET_NAME] == NULL ||
118 tb[NFTA_DYNSET_OP] == NULL ||
119 tb[NFTA_DYNSET_SREG_KEY] == NULL)
120 return -EINVAL;
121
122 if (tb[NFTA_DYNSET_FLAGS]) {
123 u32 flags = ntohl(nla_get_be32(tb[NFTA_DYNSET_FLAGS]));
124
125 if (flags & ~NFT_DYNSET_F_INV)
126 return -EINVAL;
127 if (flags & NFT_DYNSET_F_INV)
128 priv->invert = true;
129 }
130
131 set = nft_set_lookup_global(ctx->net, ctx->table,
132 tb[NFTA_DYNSET_SET_NAME],
133 tb[NFTA_DYNSET_SET_ID], genmask);
134 if (IS_ERR(set))
135 return PTR_ERR(set);
136
137 if (set->ops->update == NULL)
138 return -EOPNOTSUPP;
139
140 if (set->flags & NFT_SET_CONSTANT)
141 return -EBUSY;
142
143 priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP]));
144 switch (priv->op) {
145 case NFT_DYNSET_OP_ADD:
146 case NFT_DYNSET_OP_DELETE:
147 break;
148 case NFT_DYNSET_OP_UPDATE:
149 if (!(set->flags & NFT_SET_TIMEOUT))
150 return -EOPNOTSUPP;
151 break;
152 default:
153 return -EOPNOTSUPP;
154 }
155
156 timeout = 0;
157 if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
158 if (!(set->flags & NFT_SET_TIMEOUT))
159 return -EINVAL;
> 160 timeout = nf_msecs_to_jiffies(be64_to_cpu(nla_get_be64(tb[NFTA_DYNSET_TIMEOUT])));
161 }
162
163 priv->sreg_key = nft_parse_register(tb[NFTA_DYNSET_SREG_KEY]);
164 err = nft_validate_register_load(priv->sreg_key, set->klen);
165 if (err < 0)
166 return err;
167
168 if (tb[NFTA_DYNSET_SREG_DATA] != NULL) {
169 if (!(set->flags & NFT_SET_MAP))
170 return -EINVAL;
171 if (set->dtype == NFT_DATA_VERDICT)
172 return -EOPNOTSUPP;
173
174 priv->sreg_data = nft_parse_register(tb[NFTA_DYNSET_SREG_DATA]);
175 err = nft_validate_register_load(priv->sreg_data, set->dlen);
176 if (err < 0)
177 return err;
178 } else if (set->flags & NFT_SET_MAP)
179 return -EINVAL;
180
181 if (tb[NFTA_DYNSET_EXPR] != NULL) {
182 if (!(set->flags & NFT_SET_EVAL))
183 return -EINVAL;
184
185 priv->expr = nft_set_elem_expr_alloc(ctx, set,
186 tb[NFTA_DYNSET_EXPR]);
187 if (IS_ERR(priv->expr))
188 return PTR_ERR(priv->expr);
189
190 if (set->expr && set->expr->ops != priv->expr->ops) {
191 err = -EOPNOTSUPP;
192 goto err_expr_free;
193 }
194 }
195
196 nft_set_ext_prepare(&priv->tmpl);
197 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_KEY, set->klen);
198 if (set->flags & NFT_SET_MAP)
199 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_DATA, set->dlen);
200 if (priv->expr != NULL)
201 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_EXPR,
202 priv->expr->ops->size);
203 if (set->flags & NFT_SET_TIMEOUT) {
204 if (timeout || set->timeout)
205 nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_EXPIRATION);
206 }
207
208 priv->timeout = timeout;
209
210 err = nf_tables_bind_set(ctx, set, &priv->binding);
211 if (err < 0)
212 goto err_expr_free;
213
214 if (set->size == 0)
215 set->size = 0xffff;
216
217 priv->set = set;
218 return 0;
219
220 err_expr_free:
221 if (priv->expr != NULL)
222 nft_expr_destroy(ctx, priv->expr);
223 return err;
224 }
225
226 static void nft_dynset_deactivate(const struct nft_ctx *ctx,
227 const struct nft_expr *expr,
228 enum nft_trans_phase phase)
229 {
230 struct nft_dynset *priv = nft_expr_priv(expr);
231
232 nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
233 }
234
235 static void nft_dynset_activate(const struct nft_ctx *ctx,
236 const struct nft_expr *expr)
237 {
238 struct nft_dynset *priv = nft_expr_priv(expr);
239
240 priv->set->use++;
241 }
242
243 static void nft_dynset_destroy(const struct nft_ctx *ctx,
244 const struct nft_expr *expr)
245 {
246 struct nft_dynset *priv = nft_expr_priv(expr);
247
248 if (priv->expr != NULL)
249 nft_expr_destroy(ctx, priv->expr);
250
251 nf_tables_destroy_set(ctx, priv->set);
252 }
253
254 static int nft_dynset_dump(struct sk_buff *skb, const struct nft_expr *expr)
255 {
256 const struct nft_dynset *priv = nft_expr_priv(expr);
257 u32 flags = priv->invert ? NFT_DYNSET_F_INV : 0;
258
259 if (nft_dump_register(skb, NFTA_DYNSET_SREG_KEY, priv->sreg_key))
260 goto nla_put_failure;
261 if (priv->set->flags & NFT_SET_MAP &&
262 nft_dump_register(skb, NFTA_DYNSET_SREG_DATA, priv->sreg_data))
263 goto nla_put_failure;
264 if (nla_put_be32(skb, NFTA_DYNSET_OP, htonl(priv->op)))
265 goto nla_put_failure;
266 if (nla_put_string(skb, NFTA_DYNSET_SET_NAME, priv->set->name))
267 goto nla_put_failure;
268 if (nla_put_be64(skb, NFTA_DYNSET_TIMEOUT,
> 269 cpu_to_be64(nf_jiffies_to_msecs(priv->timeout)),
270 NFTA_DYNSET_PAD))
271 goto nla_put_failure;
272 if (priv->expr && nft_expr_dump(skb, NFTA_DYNSET_EXPR, priv->expr))
273 goto nla_put_failure;
274 if (nla_put_be32(skb, NFTA_DYNSET_FLAGS, htonl(flags)))
275 goto nla_put_failure;
276 return 0;
277
278 nla_put_failure:
279 return -1;
280 }
281
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 58931 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-12-09 4:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-08 17:37 [PATCH nf] netfilter: nftables: fix incorrect element timeout Pablo Neira Ayuso
2020-12-08 17:42 ` Pablo Neira Ayuso
2020-12-09 4:30 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).