[PATCH -next 1/2] netfilter: nf_queue: cleanup copy

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage
@ 2013-06-05  8:22 Florian Westphal
  2013-06-05  8:22 ` [PATCH -next 2/2] netfilter: nfnetlink_queue: only add CAP_LEN attr when needed Florian Westphal
  2013-06-05 10:42 ` [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage Pablo Neira Ayuso
  0 siblings, 2 replies; 4+ messages in thread
From: Florian Westphal @ 2013-06-05  8:22 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

For every packet queued, we check if configured copy_range
is 0, and treat that as 'copy entire packet'.

We can move this check to the queue configuration, and can
set copy_range appropriately.

Also, convert repetitive '0xffff - NLA_HDRLEN' to a macro.

[ queue initialization still used 0xffff, although its harmless
  since the initial setting is overwritten on queue config ]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 Changes since v1:
 - split CAP_LEN change into separate patch
 - also move comment

diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index cff4449..3c42181 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -41,6 +41,14 @@
 
 #define NFQNL_QMAX_DEFAULT 1024
 
+/* We're using struct nlattr which has 16bit nla_len. Note that nla_len
+ * includes the header length. Thus, the maximum packet length that we
+ * support is 65531 bytes. We send truncated packets if the specified length
+ * is larger than that.  Userspace can check for presence of NFQA_CAP_LEN
+ * attribute to detect truncation.
+ */
+#define NFQNL_MAX_COPY_RANGE (0xffff - NLA_HDRLEN)
+
 struct nfqnl_instance {
 	struct hlist_node hlist;		/* global list of queues */
 	struct rcu_head rcu;
@@ -122,7 +130,7 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num,
 	inst->queue_num = queue_num;
 	inst->peer_portid = portid;
 	inst->queue_maxlen = NFQNL_QMAX_DEFAULT;
-	inst->copy_range = 0xffff;
+	inst->copy_range = NFQNL_MAX_COPY_RANGE;
 	inst->copy_mode = NFQNL_COPY_NONE;
 	spin_lock_init(&inst->lock);
 	INIT_LIST_HEAD(&inst->queue_list);
@@ -333,10 +341,9 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
 			return NULL;
 
 		data_len = ACCESS_ONCE(queue->copy_range);
-		if (data_len == 0 || data_len > entskb->len)
+		if (data_len > entskb->len)
 			data_len = entskb->len;
 
-
 		if (!entskb->head_frag ||
 		    skb_headlen(entskb) < L1_CACHE_BYTES ||
 		    skb_shinfo(entskb)->nr_frags >= MAX_SKB_FRAGS)
@@ -727,13 +734,8 @@ nfqnl_set_mode(struct nfqnl_instance *queue,
 
 	case NFQNL_COPY_PACKET:
 		queue->copy_mode = mode;
-		/* We're using struct nlattr which has 16bit nla_len. Note that
-		 * nla_len includes the header length. Thus, the maximum packet
-		 * length that we support is 65531 bytes. We send truncated
-		 * packets if the specified length is larger than that.
-		 */
-		if (range > 0xffff - NLA_HDRLEN)
-			queue->copy_range = 0xffff - NLA_HDRLEN;
+		if (range == 0 || range > NFQNL_MAX_COPY_RANGE)
+			queue->copy_range = NFQNL_MAX_COPY_RANGE;
 		else
 			queue->copy_range = range;
 		break;
-- 
1.7.8.6


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH -next 2/2] netfilter: nfnetlink_queue: only add CAP_LEN attr when needed
  2013-06-05  8:22 [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage Florian Westphal
@ 2013-06-05  8:22 ` Florian Westphal
  2013-06-05 10:43   ` Pablo Neira Ayuso
  2013-06-05 10:42 ` [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage Pablo Neira Ayuso
  1 sibling, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2013-06-05  8:22 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

CAP_LEN contains the size of the network packet we're queueing to
userspace, i.e. normally it is the same as the NFQA_PAYLOAD attribute len.

Include it only in the unlikely case when NFQA_PAYLOAD is truncated due
to copy_range limitations.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 Tested with examples/nf-queue.c from libnfqueue, it still
 prints 'truncated packet' on 1st packet sent from tracepath.

diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 3c42181..eb2cde8 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -472,7 +472,8 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
 	if (ct && nfqnl_ct_put(skb, ct, ctinfo) < 0)
 		goto nla_put_failure;
 
-	if (cap_len > 0 && nla_put_be32(skb, NFQA_CAP_LEN, htonl(cap_len)))
+	if (cap_len > data_len &&
+	    nla_put_be32(skb, NFQA_CAP_LEN, htonl(cap_len)))
 		goto nla_put_failure;
 
 	if (nfqnl_put_packet_info(skb, entskb))
-- 
1.7.8.6


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage
  2013-06-05  8:22 [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage Florian Westphal
  2013-06-05  8:22 ` [PATCH -next 2/2] netfilter: nfnetlink_queue: only add CAP_LEN attr when needed Florian Westphal
@ 2013-06-05 10:42 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-05 10:42 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Wed, Jun 05, 2013 at 10:22:15AM +0200, Florian Westphal wrote:
> For every packet queued, we check if configured copy_range
> is 0, and treat that as 'copy entire packet'.
> 
> We can move this check to the queue configuration, and can
> set copy_range appropriately.
> 
> Also, convert repetitive '0xffff - NLA_HDRLEN' to a macro.
> 
> [ queue initialization still used 0xffff, although its harmless
>   since the initial setting is overwritten on queue config ]

Applied, thanks Florian.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH -next 2/2] netfilter: nfnetlink_queue: only add CAP_LEN attr when needed
  2013-06-05  8:22 ` [PATCH -next 2/2] netfilter: nfnetlink_queue: only add CAP_LEN attr when needed Florian Westphal
@ 2013-06-05 10:43   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-05 10:43 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Wed, Jun 05, 2013 at 10:22:16AM +0200, Florian Westphal wrote:
> CAP_LEN contains the size of the network packet we're queueing to
> userspace, i.e. normally it is the same as the NFQA_PAYLOAD attribute len.
> 
> Include it only in the unlikely case when NFQA_PAYLOAD is truncated due
> to copy_range limitations.

Also applied, thanks!

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2013-06-05 10:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-05  8:22 [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage Florian Westphal
2013-06-05  8:22 ` [PATCH -next 2/2] netfilter: nfnetlink_queue: only add CAP_LEN attr when needed Florian Westphal
2013-06-05 10:43   ` Pablo Neira Ayuso
2013-06-05 10:42 ` [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.