Re: [PATCH nf] netfilter: nf_reject: init skb->dev for reset packet

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Christoph Paasch <cpaasch@apple.com>,
	Netfilter <netfilter-devel@vger.kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org, daniel@iogearbox.net, willemb@google.com
Subject: Re: [PATCH nf] netfilter: nf_reject: init skb->dev for reset packet
Date: Thu, 6 Jun 2024 11:26:20 +0200	[thread overview]
Message-ID: <20240606092620.GC4688@breakpoint.cc> (raw)
In-Reply-To: <20240605190833.GB7176@breakpoint.cc>

Florian Westphal <fw@strlen.de> wrote:
> When this was added (handle dissection from bpf prog, per netns), the correct
> solution would have been to pass 'struct net' explicitly via skb_get_hash()
> and all variants.  As that was likely deemed to be too much code churn it
> tries to infer struct net via skb->{dev,sk}.
> 
> So there are several options here:
> 1. remove the WARN_ON_ONCE and be done with it
> 2. remove the WARN_ON_ONCE and pretend net was init_net
> 3. also look at skb_dst(skb)->dev if skb->dev is unset, then back to 1)
>    or 2)
> 4. stop using skb_get_hash() from netfilter (but there are likely other
>    callers that might hit this).

diff --git a/net/netfilter/nf_tables_trace.c b/net/netfilter/nf_tables_trace.c
--- a/net/netfilter/nf_tables_trace.c
+++ b/net/netfilter/nf_tables_trace.c
@@ -303,6 +303,30 @@ void nft_trace_notify(const struct nft_pktinfo *pkt,
        kfree_skb(skb);
 }
 
+static u32 __nf_skb_get_hash(const struct net *net, struct sk_buff *skb)
+{
+       struct flow_keys keys;
+       u32 hash;
+
+       memset(&keys, 0, sizeof(keys));
+
+       __skb_flow_dissect(net, skb, &flow_keys_dissector,
+                          &keys, NULL, 0, 0, 0,
+                          FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL);
+
+       hash = flow_hash_from_keys(&keys);
+       __skb_set_sw_hash(skb, hash, flow_keys_have_l4(&keys));
+       return hash;
+}
+
+static u32 nf_skb_get_hash(const struct net *net, struct sk_buff *skb)
+{
+       if (!skb->l4_hash && !skb->sw_hash)
+               return __nf_skb_get_hash(net, skb);
+
+       return skb->hash;
+}
+
 void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
                    const struct nft_chain *chain)
 {
@@ -317,7 +341,7 @@ void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
        net_get_random_once(&trace_key, sizeof(trace_key));
 
        info->skbid = (u32)siphash_3u32(hash32_ptr(skb),
-                                       skb_get_hash(skb),
+                                       nf_skb_get_hash(nft_net(pkt), skb),
                                        skb->skb_iif,
                                        &trace_key);
 }


... doesn't solve the nft_hash.c issue (which calls _symmetric version, and
that uses flow_key definiton that isn't exported outside flow_dissector.o.

next prev parent reply	other threads:[~2024-06-06  9:26 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-04 12:03 [PATCH nf] netfilter: nf_reject: init skb->dev for reset packet Florian Westphal
     [not found] ` <FF8A506F-6F0F-440E-9F52-B27D05731B77@apple.com>
2024-06-05 18:14   ` Florian Westphal
2024-06-05 18:38     ` Pablo Neira Ayuso
2024-06-05 19:08       ` Florian Westphal
2024-06-05 19:45         ` Pablo Neira Ayuso
2024-06-05 21:38           ` Willem de Bruijn
2024-06-05 22:16             ` Pablo Neira Ayuso
2024-06-06  1:54               ` Willem de Bruijn
2024-06-06  6:20                 ` Pablo Neira Ayuso
2024-06-06  8:39             ` Florian Westphal
2024-06-06  9:26         ` Florian Westphal [this message]
2024-06-06 13:04           ` Florian Westphal
2024-06-06 14:09             ` Willem de Bruijn
2024-06-06 14:15               ` Florian Westphal
2024-06-06 14:28                 ` Willem de Bruijn
2024-06-06 14:38                   ` Florian Westphal
2024-06-06 14:43                     ` Willem de Bruijn
2024-06-06 14:52                       ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240606092620.GC4688@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=cpaasch@apple.com \
    --cc=daniel@iogearbox.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    --cc=willemb@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.