* [PATCH net-next] packet: pdiag_put_ring() should return TX_RING info for TPACKET_V3
[not found] <cover.1484060892.git.sowmini.varadhan@oracle.com>
@ 2017-01-10 15:47 ` Sowmini Varadhan
2017-01-11 2:03 ` David Miller
2017-01-12 13:10 ` [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests Sowmini Varadhan
1 sibling, 1 reply; 5+ messages in thread
From: Sowmini Varadhan @ 2017-01-10 15:47 UTC (permalink / raw)
To: netdev, sowmini.varadhan; +Cc: daniel, willemb, davem
Commit 7f953ab2ba46 ("af_packet: TX_RING support for TPACKET_V3")
now makes it possible to use TX_RING with TPACKET_V3, so make the
the relevant information available via 'ss -e -a --packet'
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
---
net/packet/diag.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 0ed68f0..7ef1c88 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -73,8 +73,7 @@ static int pdiag_put_ring(struct packet_ring_buffer *ring, int ver, int nl_type,
{
struct packet_diag_ring pdr;
- if (!ring->pg_vec || ((ver > TPACKET_V2) &&
- (nl_type == PACKET_DIAG_TX_RING)))
+ if (!ring->pg_vec)
return 0;
pdr.pdr_block_size = ring->pg_vec_pages << PAGE_SHIFT;
--
1.7.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net-next] packet: pdiag_put_ring() should return TX_RING info for TPACKET_V3
2017-01-10 15:47 ` [PATCH net-next] packet: pdiag_put_ring() should return TX_RING info for TPACKET_V3 Sowmini Varadhan
@ 2017-01-11 2:03 ` David Miller
0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2017-01-11 2:03 UTC (permalink / raw)
To: sowmini.varadhan; +Cc: netdev, daniel, willemb
From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Date: Tue, 10 Jan 2017 07:47:15 -0800
> Commit 7f953ab2ba46 ("af_packet: TX_RING support for TPACKET_V3")
> now makes it possible to use TX_RING with TPACKET_V3, so make the
> the relevant information available via 'ss -e -a --packet'
>
> Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Applied, thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests
[not found] <cover.1484060892.git.sowmini.varadhan@oracle.com>
2017-01-10 15:47 ` [PATCH net-next] packet: pdiag_put_ring() should return TX_RING info for TPACKET_V3 Sowmini Varadhan
@ 2017-01-12 13:10 ` Sowmini Varadhan
2017-01-12 14:37 ` Daniel Borkmann
2017-01-12 15:51 ` David Miller
1 sibling, 2 replies; 5+ messages in thread
From: Sowmini Varadhan @ 2017-01-12 13:10 UTC (permalink / raw)
To: netdev, sowmini.varadhan; +Cc: daniel, willemb, davem
The filter added by sock_setfilter is intended to only permit
packets matching the pattern set up by create_payload(), but
we only check the ip_len, and a single test-character in
the IP packet to ensure this condition.
Harden the filter by adding additional constraints so that we only
permit UDP/IPv4 packets that meet the ip_len and test-character
requirements. Include the bpf_asm src as a comment, in case this
needs to be enhanced in the future
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
---
tools/testing/selftests/net/psock_lib.h | 39 +++++++++++++++++++++++++-----
1 files changed, 32 insertions(+), 7 deletions(-)
diff --git a/tools/testing/selftests/net/psock_lib.h b/tools/testing/selftests/net/psock_lib.h
index 24bc7ec..a77da88 100644
--- a/tools/testing/selftests/net/psock_lib.h
+++ b/tools/testing/selftests/net/psock_lib.h
@@ -40,14 +40,39 @@
static __maybe_unused void sock_setfilter(int fd, int lvl, int optnum)
{
+ /* the filter below checks for all of the following conditions that
+ * are based on the contents of create_payload()
+ * ether type 0x800 and
+ * ip proto udp and
+ * skb->len == DATA_LEN and
+ * udp[38] == 'a' or udp[38] == 'b'
+ * It can be generated from the following bpf_asm input:
+ * ldh [12]
+ * jne #0x800, drop ; ETH_P_IP
+ * ldb [23]
+ * jneq #17, drop ; IPPROTO_UDP
+ * ld len ; ld skb->len
+ * jlt #100, drop ; DATA_LEN
+ * ldb [80]
+ * jeq #97, pass ; DATA_CHAR
+ * jne #98, drop ; DATA_CHAR_1
+ * pass:
+ * ret #-1
+ * drop:
+ * ret #0
+ */
struct sock_filter bpf_filter[] = {
- { 0x80, 0, 0, 0x00000000 }, /* LD pktlen */
- { 0x35, 0, 4, DATA_LEN }, /* JGE DATA_LEN [f goto nomatch]*/
- { 0x30, 0, 0, 0x00000050 }, /* LD ip[80] */
- { 0x15, 1, 0, DATA_CHAR }, /* JEQ DATA_CHAR [t goto match]*/
- { 0x15, 0, 1, DATA_CHAR_1}, /* JEQ DATA_CHAR_1 [t goto match]*/
- { 0x06, 0, 0, 0x00000060 }, /* RET match */
- { 0x06, 0, 0, 0x00000000 }, /* RET no match */
+ { 0x28, 0, 0, 0x0000000c },
+ { 0x15, 0, 8, 0x00000800 },
+ { 0x30, 0, 0, 0x00000017 },
+ { 0x15, 0, 6, 0x00000011 },
+ { 0x80, 0, 0, 0000000000 },
+ { 0x35, 0, 4, 0x00000064 },
+ { 0x30, 0, 0, 0x00000050 },
+ { 0x15, 1, 0, 0x00000061 },
+ { 0x15, 0, 1, 0x00000062 },
+ { 0x06, 0, 0, 0xffffffff },
+ { 0x06, 0, 0, 0000000000 },
};
struct sock_fprog bpf_prog;
--
1.7.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests
2017-01-12 13:10 ` [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests Sowmini Varadhan
@ 2017-01-12 14:37 ` Daniel Borkmann
2017-01-12 15:51 ` David Miller
1 sibling, 0 replies; 5+ messages in thread
From: Daniel Borkmann @ 2017-01-12 14:37 UTC (permalink / raw)
To: Sowmini Varadhan, netdev; +Cc: willemb, davem
On 01/12/2017 02:10 PM, Sowmini Varadhan wrote:
> The filter added by sock_setfilter is intended to only permit
> packets matching the pattern set up by create_payload(), but
> we only check the ip_len, and a single test-character in
> the IP packet to ensure this condition.
>
> Harden the filter by adding additional constraints so that we only
> permit UDP/IPv4 packets that meet the ip_len and test-character
> requirements. Include the bpf_asm src as a comment, in case this
> needs to be enhanced in the future
>
> Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
LGTM, thanks!
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests
2017-01-12 13:10 ` [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests Sowmini Varadhan
2017-01-12 14:37 ` Daniel Borkmann
@ 2017-01-12 15:51 ` David Miller
1 sibling, 0 replies; 5+ messages in thread
From: David Miller @ 2017-01-12 15:51 UTC (permalink / raw)
To: sowmini.varadhan; +Cc: netdev, daniel, willemb
From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Date: Thu, 12 Jan 2017 05:10:11 -0800
> The filter added by sock_setfilter is intended to only permit
> packets matching the pattern set up by create_payload(), but
> we only check the ip_len, and a single test-character in
> the IP packet to ensure this condition.
>
> Harden the filter by adding additional constraints so that we only
> permit UDP/IPv4 packets that meet the ip_len and test-character
> requirements. Include the bpf_asm src as a comment, in case this
> needs to be enhanced in the future
>
> Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Applied, thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-01-12 15:51 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1484060892.git.sowmini.varadhan@oracle.com>
2017-01-10 15:47 ` [PATCH net-next] packet: pdiag_put_ring() should return TX_RING info for TPACKET_V3 Sowmini Varadhan
2017-01-11 2:03 ` David Miller
2017-01-12 13:10 ` [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests Sowmini Varadhan
2017-01-12 14:37 ` Daniel Borkmann
2017-01-12 15:51 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).