From: Florian Westphal <fw@strlen.de>
To: Stephen Suryaputra <ssuryaextr@gmail.com>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: nf_tables: nft_exthdr: the presence return value should be little-endian
Date: Tue, 4 Aug 2020 00:15:34 +0200 [thread overview]
Message-ID: <20200803221534.GR29169@breakpoint.cc> (raw)
In-Reply-To: <20200803182001.9243-1-ssuryaextr@gmail.com>
Stephen Suryaputra <ssuryaextr@gmail.com> wrote:
> On big-endian machine, the returned register data when the exthdr is
> present is not being compared correctly because little-endian is
> assumed. The function nft_cmp_fast_mask(), called by nft_cmp_fast_eval()
> and nft_cmp_fast_init(), calls cpu_to_le32().
>
> The following dump also shows that little endian is assumed:
>
> $ nft --debug=netlink add rule ip recordroute forward ip option rr exists counter
> ip
> [ exthdr load ipv4 1b @ 7 + 0 present => reg 1 ]
> [ cmp eq reg 1 0x01000000 ]
> [ counter pkts 0 bytes 0 ]
>
> Lastly, debug print in nft_cmp_fast_init() and nft_cmp_fast_eval() when
> RR option exists in the packet shows that the comparison fails because
> the assumption:
>
> nft_cmp_fast_init:189 priv->sreg=4 desc.len=8 mask=0xff000000 data.data[0]=0x10003e0
> nft_cmp_fast_eval:57 regs->data[priv->sreg=4]=0x1 mask=0xff000000 priv->data=0x1000000
Right, nft userspace assumes a boolean data type when it does existence
check.
> diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
> index 07782836fad6..50e4935585e3 100644
> --- a/net/netfilter/nft_exthdr.c
> +++ b/net/netfilter/nft_exthdr.c
> @@ -44,7 +44,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
>
> err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
> if (priv->flags & NFT_EXTHDR_F_PRESENT) {
> - *dest = (err >= 0);
> + *dest = cpu_to_le32(err >= 0);
Both should probably use nft_reg_store8(dst, err >= 0) for consistency
with the rest.
But the patch looks correct to me, thanks.
next prev parent reply other threads:[~2020-08-03 22:15 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-03 18:20 [PATCH nf] netfilter: nf_tables: nft_exthdr: the presence return value should be little-endian Stephen Suryaputra
2020-08-03 22:15 ` Florian Westphal [this message]
2020-08-04 11:43 ` kernel test robot
2020-08-04 11:43 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200803221534.GR29169@breakpoint.cc \
--to=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=ssuryaextr@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.