* [PATCH net-next] packet: pdiag_put_ring() should return TX_RING info for TPACKET_V3 [not found] <cover.1484060892.git.sowmini.varadhan@oracle.com> @ 2017-01-10 15:47 ` Sowmini Varadhan 2017-01-11 2:03 ` David Miller 2017-01-12 13:10 ` [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests Sowmini Varadhan 1 sibling, 1 reply; 5+ messages in thread From: Sowmini Varadhan @ 2017-01-10 15:47 UTC (permalink / raw) To: netdev, sowmini.varadhan; +Cc: daniel, willemb, davem Commit 7f953ab2ba46 ("af_packet: TX_RING support for TPACKET_V3") now makes it possible to use TX_RING with TPACKET_V3, so make the the relevant information available via 'ss -e -a --packet' Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> --- net/packet/diag.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/net/packet/diag.c b/net/packet/diag.c index 0ed68f0..7ef1c88 100644 --- a/net/packet/diag.c +++ b/net/packet/diag.c @@ -73,8 +73,7 @@ static int pdiag_put_ring(struct packet_ring_buffer *ring, int ver, int nl_type, { struct packet_diag_ring pdr; - if (!ring->pg_vec || ((ver > TPACKET_V2) && - (nl_type == PACKET_DIAG_TX_RING))) + if (!ring->pg_vec) return 0; pdr.pdr_block_size = ring->pg_vec_pages << PAGE_SHIFT; -- 1.7.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net-next] packet: pdiag_put_ring() should return TX_RING info for TPACKET_V3 2017-01-10 15:47 ` [PATCH net-next] packet: pdiag_put_ring() should return TX_RING info for TPACKET_V3 Sowmini Varadhan @ 2017-01-11 2:03 ` David Miller 0 siblings, 0 replies; 5+ messages in thread From: David Miller @ 2017-01-11 2:03 UTC (permalink / raw) To: sowmini.varadhan; +Cc: netdev, daniel, willemb From: Sowmini Varadhan <sowmini.varadhan@oracle.com> Date: Tue, 10 Jan 2017 07:47:15 -0800 > Commit 7f953ab2ba46 ("af_packet: TX_RING support for TPACKET_V3") > now makes it possible to use TX_RING with TPACKET_V3, so make the > the relevant information available via 'ss -e -a --packet' > > Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> Applied, thanks. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests [not found] <cover.1484060892.git.sowmini.varadhan@oracle.com> 2017-01-10 15:47 ` [PATCH net-next] packet: pdiag_put_ring() should return TX_RING info for TPACKET_V3 Sowmini Varadhan @ 2017-01-12 13:10 ` Sowmini Varadhan 2017-01-12 14:37 ` Daniel Borkmann 2017-01-12 15:51 ` David Miller 1 sibling, 2 replies; 5+ messages in thread From: Sowmini Varadhan @ 2017-01-12 13:10 UTC (permalink / raw) To: netdev, sowmini.varadhan; +Cc: daniel, willemb, davem The filter added by sock_setfilter is intended to only permit packets matching the pattern set up by create_payload(), but we only check the ip_len, and a single test-character in the IP packet to ensure this condition. Harden the filter by adding additional constraints so that we only permit UDP/IPv4 packets that meet the ip_len and test-character requirements. Include the bpf_asm src as a comment, in case this needs to be enhanced in the future Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> --- tools/testing/selftests/net/psock_lib.h | 39 +++++++++++++++++++++++++----- 1 files changed, 32 insertions(+), 7 deletions(-) diff --git a/tools/testing/selftests/net/psock_lib.h b/tools/testing/selftests/net/psock_lib.h index 24bc7ec..a77da88 100644 --- a/tools/testing/selftests/net/psock_lib.h +++ b/tools/testing/selftests/net/psock_lib.h @@ -40,14 +40,39 @@ static __maybe_unused void sock_setfilter(int fd, int lvl, int optnum) { + /* the filter below checks for all of the following conditions that + * are based on the contents of create_payload() + * ether type 0x800 and + * ip proto udp and + * skb->len == DATA_LEN and + * udp[38] == 'a' or udp[38] == 'b' + * It can be generated from the following bpf_asm input: + * ldh [12] + * jne #0x800, drop ; ETH_P_IP + * ldb [23] + * jneq #17, drop ; IPPROTO_UDP + * ld len ; ld skb->len + * jlt #100, drop ; DATA_LEN + * ldb [80] + * jeq #97, pass ; DATA_CHAR + * jne #98, drop ; DATA_CHAR_1 + * pass: + * ret #-1 + * drop: + * ret #0 + */ struct sock_filter bpf_filter[] = { - { 0x80, 0, 0, 0x00000000 }, /* LD pktlen */ - { 0x35, 0, 4, DATA_LEN }, /* JGE DATA_LEN [f goto nomatch]*/ - { 0x30, 0, 0, 0x00000050 }, /* LD ip[80] */ - { 0x15, 1, 0, DATA_CHAR }, /* JEQ DATA_CHAR [t goto match]*/ - { 0x15, 0, 1, DATA_CHAR_1}, /* JEQ DATA_CHAR_1 [t goto match]*/ - { 0x06, 0, 0, 0x00000060 }, /* RET match */ - { 0x06, 0, 0, 0x00000000 }, /* RET no match */ + { 0x28, 0, 0, 0x0000000c }, + { 0x15, 0, 8, 0x00000800 }, + { 0x30, 0, 0, 0x00000017 }, + { 0x15, 0, 6, 0x00000011 }, + { 0x80, 0, 0, 0000000000 }, + { 0x35, 0, 4, 0x00000064 }, + { 0x30, 0, 0, 0x00000050 }, + { 0x15, 1, 0, 0x00000061 }, + { 0x15, 0, 1, 0x00000062 }, + { 0x06, 0, 0, 0xffffffff }, + { 0x06, 0, 0, 0000000000 }, }; struct sock_fprog bpf_prog; -- 1.7.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests 2017-01-12 13:10 ` [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests Sowmini Varadhan @ 2017-01-12 14:37 ` Daniel Borkmann 2017-01-12 15:51 ` David Miller 1 sibling, 0 replies; 5+ messages in thread From: Daniel Borkmann @ 2017-01-12 14:37 UTC (permalink / raw) To: Sowmini Varadhan, netdev; +Cc: willemb, davem On 01/12/2017 02:10 PM, Sowmini Varadhan wrote: > The filter added by sock_setfilter is intended to only permit > packets matching the pattern set up by create_payload(), but > we only check the ip_len, and a single test-character in > the IP packet to ensure this condition. > > Harden the filter by adding additional constraints so that we only > permit UDP/IPv4 packets that meet the ip_len and test-character > requirements. Include the bpf_asm src as a comment, in case this > needs to be enhanced in the future > > Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> LGTM, thanks! Acked-by: Daniel Borkmann <daniel@iogearbox.net> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests 2017-01-12 13:10 ` [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests Sowmini Varadhan 2017-01-12 14:37 ` Daniel Borkmann @ 2017-01-12 15:51 ` David Miller 1 sibling, 0 replies; 5+ messages in thread From: David Miller @ 2017-01-12 15:51 UTC (permalink / raw) To: sowmini.varadhan; +Cc: netdev, daniel, willemb From: Sowmini Varadhan <sowmini.varadhan@oracle.com> Date: Thu, 12 Jan 2017 05:10:11 -0800 > The filter added by sock_setfilter is intended to only permit > packets matching the pattern set up by create_payload(), but > we only check the ip_len, and a single test-character in > the IP packet to ensure this condition. > > Harden the filter by adding additional constraints so that we only > permit UDP/IPv4 packets that meet the ip_len and test-character > requirements. Include the bpf_asm src as a comment, in case this > needs to be enhanced in the future > > Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> Applied, thanks. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-01-12 15:51 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1484060892.git.sowmini.varadhan@oracle.com>
2017-01-10 15:47 ` [PATCH net-next] packet: pdiag_put_ring() should return TX_RING info for TPACKET_V3 Sowmini Varadhan
2017-01-11 2:03 ` David Miller
2017-01-12 13:10 ` [PATCH net-next] tools: psock_lib: harden socket filter used by psock tests Sowmini Varadhan
2017-01-12 14:37 ` Daniel Borkmann
2017-01-12 15:51 ` David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).