[PATCH nf-next v4 3/5] netfilter: nf_tables: preemptive fix for audit selftest failure

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nf-next v4 3/5] netfilter: nf_tables: preemptive fix for audit selftest failure
Date: Thu,  7 Nov 2024 18:44:07 +0100	[thread overview]
Message-ID: <20241107174415.4690-4-fw@strlen.de> (raw)
In-Reply-To: <20241107174415.4690-1-fw@strlen.de>

nftables audit log format unfortunately leaks an implementation detail, the
transaction log size, to userspace:

    table=t1 family=2 entries=4 op=nft_register_set
                      ~~~~~~~~~

This 'entries' key is the number of transactions that will be applied.
The upcoming set element compression (add elem x to set s, add element y
to s would be placed in a single transaction request) would lower that
number to 3.

~ncrement the audit counter by the number of elements to keep the reported
entries value the same.

Without this, nft_audit.sh selftest fails because the recorded
(expected) entries key is smaller than the expected one.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_tables_api.c | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 5eab6f121684..bdf5ba21c76d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10397,9 +10397,26 @@ static void nf_tables_commit_audit_free(struct list_head *adl)
 	}
 }
 
+/* Silly, but existing test audit test cases require a count
+ * value derived from the (INTERNAL!) transaction log length.
+ *
+ * Thus, compaction of NEW/DELSETELEM breaks such tests.
+ */
+static unsigned int nf_tables_commit_audit_entrycount(const struct nft_trans *trans)
+{
+	switch (trans->msg_type) {
+	case NFT_MSG_NEWSETELEM:
+	case NFT_MSG_DELSETELEM:
+		return nft_trans_container_elem(trans)->nelems;
+	}
+
+	return 1;
+}
+
 static void nf_tables_commit_audit_collect(struct list_head *adl,
-					   struct nft_table *table, u32 op)
+					   const struct nft_trans *trans, u32 op)
 {
+	const struct nft_table *table = trans->table;
 	struct nft_audit_data *adp;
 
 	list_for_each_entry(adp, adl, list) {
@@ -10409,7 +10426,7 @@ static void nf_tables_commit_audit_collect(struct list_head *adl,
 	WARN_ONCE(1, "table=%s not expected in commit list", table->name);
 	return;
 found:
-	adp->entries++;
+	adp->entries += nf_tables_commit_audit_entrycount(trans);
 	if (!adp->op || adp->op > op)
 		adp->op = op;
 }
@@ -10568,7 +10585,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
 
 		nft_ctx_update(&ctx, trans);
 
-		nf_tables_commit_audit_collect(&adl, table, trans->msg_type);
+		nf_tables_commit_audit_collect(&adl, trans, trans->msg_type);
 		switch (trans->msg_type) {
 		case NFT_MSG_NEWTABLE:
 			if (nft_trans_table_update(trans)) {
-- 
2.45.2

next prev parent reply	other threads:[~2024-11-07 17:46 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-07 17:44 [PATCH nf-next v4 0/5] netfilter: nf_tables: reduce set element transaction size Florian Westphal
2024-11-07 17:44 ` [PATCH nf-next v4 1/5] netfilter: nf_tables: add nft_trans_commit_list_add_elem helper Florian Westphal
2024-11-07 17:44 ` [PATCH nf-next v4 2/5] netfilter: nf_tables: prepare for multiple elements in nft_trans_elem structure Florian Westphal
2024-11-07 17:44 ` Florian Westphal [this message]
2024-11-07 17:44 ` [PATCH nf-next v4 4/5] netfilter: nf_tables: switch trans_elem to real flex array Florian Westphal
2024-11-13 10:15   ` Pablo Neira Ayuso
2024-11-13 11:04     ` Florian Westphal
2024-11-13 11:11       ` Pablo Neira Ayuso
2024-11-07 17:44 ` [PATCH nf-next v4 5/5] netfilter: nf_tables: allocate element update information dynamically Florian Westphal
2024-11-12 18:42 ` [PATCH nf-next v4 0/5] netfilter: nf_tables: reduce set element transaction size Pablo Neira Ayuso
2024-11-12 20:44   ` Florian Westphal
2024-11-13 10:19     ` Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5eab6f12168 dfblob:bdf5ba21c76 )
 OR (
bs:"[PATCH nf-next v4 3/5] netfilter: nf_tables: preemptive fix for audit selftest failure" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241107174415.4690-4-fw@strlen.de \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.