From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, audit@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: nf_tables: Unbreak audit log reset
Date: Wed, 6 Sep 2023 19:08:40 +0200 [thread overview]
Message-ID: <ZPiyGC+TfRgyOabJ@orbyte.nwl.cc> (raw)
In-Reply-To: <ZPhm1mf0GaeQUr0e@calendula>
On Wed, Sep 06, 2023 at 01:47:34PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Sep 06, 2023 at 01:32:50PM +0200, Phil Sutter wrote:
> > On Wed, Sep 06, 2023 at 11:42:02AM +0200, Pablo Neira Ayuso wrote:
> > > Deliver audit log from __nf_tables_dump_rules(), table dereference at
> > > the end of the table list loop might point to the list head, leading to
> > > this crash.
> >
> > Ah, of course. Sorry for the mess. I missed the fact that one may just
> > call 'reset rules' and have it apply to all existing tables.
> >
> > [...]
> > > Deliver audit log only once at the end of the rule dump+reset for
> > > consistency with the set dump+reset.
> >
> > This may seem like number of audit logs is reduced, when it is actually
> > increased: With your patch, there will be at least one notification for
> > each chain, multiple with large chains (due to skb exhaustion).
>
> With your patch, this is called for each netlink_recvmsg() invocation,
> which is more audit logs.
>
> @@ -3540,9 +3544,6 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
> done:
> rcu_read_unlock();
>
> - if (reset && idx > cb->args[0])
> - audit_log_rule_reset(table, cb->seq, idx - cb->args[0]);
> -
> cb->args[0] = idx;
> return skb->len;
> }
>
> netlink dump is composed of a series of recvmsg() from userspace to
> fetch the multiple chunks that represent the rules in this table.
> If I read fine above, as the netlink dump makes progress, idx will
> always go over cb->args[0], which evaluates true for each recvmsg()
> call. With my patch this is less audit logs because audit log is only
> delivered once for each chain, not for each recvmsg() call.
Here's a simple example:
| for table in t1 t2; do
| echo "add table $table"
| for chain in c1 c2 c3; do
| echo "add chain $table $chain"
| echo "add rule $table $chain counter accept"
| echo "add rule $table $chain counter accept"
| echo "add rule $table $chain counter accept"
| done
| done | nft -f -
| nft reset rules
| nft reset rules table t1
Before your patch, audit NETFILTER_CFG messages are:
| type=NETFILTER_CFG msg=audit(1694018800.149:1917): table=(null):5 family=0 entries=18 op=nft_reset_rule pid=6558 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694018848.399:1918): table=t1:5 family=2 entries=9 op=nft_reset_rule pid=6565 subj=kernel comm="nft"
(Note the NULL table name pointer in the first one.)
With your patch applied, these are the respective audit messages:
| type=NETFILTER_CFG msg=audit(1694020131.459:3): table=t1:2 family=2 entries=3 op=nft_reset_rule pid=3119 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020131.459:3): table=t1:2 family=2 entries=6 op=nft_reset_rule pid=3119 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020131.459:3): table=t1:2 family=2 entries=9 op=nft_reset_rule pid=3119 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020131.459:3): table=t2:2 family=2 entries=12 op=nft_reset_rule pid=3119 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020131.459:3): table=t2:2 family=2 entries=15 op=nft_reset_rule pid=3119 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020131.459:3): table=t2:2 family=2 entries=18 op=nft_reset_rule pid=3119 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020131.489:4): table=t1:2 family=2 entries=3 op=nft_reset_rule pid=3119 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020131.489:4): table=t1:2 family=2 entries=6 op=nft_reset_rule pid=3119 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020131.489:4): table=t1:2 family=2 entries=9 op=nft_reset_rule pid=3119 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020131.489:4): table=t2:2 family=2 entries=12 op=nft_reset_rule pid=3119 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020131.489:4): table=t2:2 family=2 entries=15 op=nft_reset_rule pid=3119 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020131.489:4): table=t2:2 family=2 entries=18 op=nft_reset_rule pid=3119 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020206.579:5): table=t1:2 family=2 entries=3 op=nft_reset_rule pid=3126 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020206.579:5): table=t1:2 family=2 entries=6 op=nft_reset_rule pid=3126 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020206.579:5): table=t1:2 family=2 entries=9 op=nft_reset_rule pid=3126 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020206.609:6): table=t1:2 family=2 entries=3 op=nft_reset_rule pid=3126 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020206.609:6): table=t1:2 family=2 entries=6 op=nft_reset_rule pid=3126 subj=kernel comm="nft"
| type=NETFILTER_CFG msg=audit(1694020206.609:6): table=t1:2 family=2 entries=9 op=nft_reset_rule pid=3126 subj=kernel comm="nft"
The last six come from the 'reset rules table t1' command. While on one
hand it looks like nftables fits only three rules into a single skb,
your fix seems to have a problem in that it doesn't subtract s_idx from
*idx.
Cheers, Phil
next prev parent reply other threads:[~2023-09-06 17:08 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-06 9:42 [PATCH nf] netfilter: nf_tables: Unbreak audit log reset Pablo Neira Ayuso
2023-09-06 11:32 ` Phil Sutter
2023-09-06 11:47 ` Pablo Neira Ayuso
2023-09-06 17:08 ` Phil Sutter [this message]
2023-09-06 18:46 ` Pablo Neira Ayuso
2023-09-06 19:56 ` Paul Moore
2023-09-06 21:39 ` Phil Sutter
2023-09-06 22:21 ` Pablo Neira Ayuso
2023-09-06 22:41 ` Paul Moore
2023-09-06 23:01 ` Pablo Neira Ayuso
2023-09-06 23:25 ` Paul Moore
2023-09-06 22:36 ` Paul Moore
2023-09-06 18:20 ` Richard Guy Briggs
2023-09-06 18:22 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZPiyGC+TfRgyOabJ@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=audit@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.