[PATCH -next 1/2] netfilter: nf_queue: cleanup copy

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage
@ 2013-06-05  8:22 Florian Westphal
  2013-06-05  8:22 ` [PATCH -next 2/2] netfilter: nfnetlink_queue: only add CAP_LEN attr when needed Florian Westphal
  2013-06-05 10:42 ` [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage Pablo Neira Ayuso
  0 siblings, 2 replies; 4+ messages in thread
From: Florian Westphal @ 2013-06-05  8:22 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

For every packet queued, we check if configured copy_range
is 0, and treat that as 'copy entire packet'.

We can move this check to the queue configuration, and can
set copy_range appropriately.

Also, convert repetitive '0xffff - NLA_HDRLEN' to a macro.

[ queue initialization still used 0xffff, although its harmless
  since the initial setting is overwritten on queue config ]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 Changes since v1:
 - split CAP_LEN change into separate patch
 - also move comment

diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index cff4449..3c42181 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -41,6 +41,14 @@
 
 #define NFQNL_QMAX_DEFAULT 1024
 
+/* We're using struct nlattr which has 16bit nla_len. Note that nla_len
+ * includes the header length. Thus, the maximum packet length that we
+ * support is 65531 bytes. We send truncated packets if the specified length
+ * is larger than that.  Userspace can check for presence of NFQA_CAP_LEN
+ * attribute to detect truncation.
+ */
+#define NFQNL_MAX_COPY_RANGE (0xffff - NLA_HDRLEN)
+
 struct nfqnl_instance {
 	struct hlist_node hlist;		/* global list of queues */
 	struct rcu_head rcu;
@@ -122,7 +130,7 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num,
 	inst->queue_num = queue_num;
 	inst->peer_portid = portid;
 	inst->queue_maxlen = NFQNL_QMAX_DEFAULT;
-	inst->copy_range = 0xffff;
+	inst->copy_range = NFQNL_MAX_COPY_RANGE;
 	inst->copy_mode = NFQNL_COPY_NONE;
 	spin_lock_init(&inst->lock);
 	INIT_LIST_HEAD(&inst->queue_list);
@@ -333,10 +341,9 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
 			return NULL;
 
 		data_len = ACCESS_ONCE(queue->copy_range);
-		if (data_len == 0 || data_len > entskb->len)
+		if (data_len > entskb->len)
 			data_len = entskb->len;
 
-
 		if (!entskb->head_frag ||
 		    skb_headlen(entskb) < L1_CACHE_BYTES ||
 		    skb_shinfo(entskb)->nr_frags >= MAX_SKB_FRAGS)
@@ -727,13 +734,8 @@ nfqnl_set_mode(struct nfqnl_instance *queue,
 
 	case NFQNL_COPY_PACKET:
 		queue->copy_mode = mode;
-		/* We're using struct nlattr which has 16bit nla_len. Note that
-		 * nla_len includes the header length. Thus, the maximum packet
-		 * length that we support is 65531 bytes. We send truncated
-		 * packets if the specified length is larger than that.
-		 */
-		if (range > 0xffff - NLA_HDRLEN)
-			queue->copy_range = 0xffff - NLA_HDRLEN;
+		if (range == 0 || range > NFQNL_MAX_COPY_RANGE)
+			queue->copy_range = NFQNL_MAX_COPY_RANGE;
 		else
 			queue->copy_range = range;
 		break;
-- 
1.7.8.6


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH -next 2/2] netfilter: nfnetlink_queue: only add CAP_LEN attr when needed
  2013-06-05  8:22 [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage Florian Westphal
@ 2013-06-05  8:22 ` Florian Westphal
  2013-06-05 10:43   ` Pablo Neira Ayuso
  2013-06-05 10:42 ` [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage Pablo Neira Ayuso
  1 sibling, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2013-06-05  8:22 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

CAP_LEN contains the size of the network packet we're queueing to
userspace, i.e. normally it is the same as the NFQA_PAYLOAD attribute len.

Include it only in the unlikely case when NFQA_PAYLOAD is truncated due
to copy_range limitations.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 Tested with examples/nf-queue.c from libnfqueue, it still
 prints 'truncated packet' on 1st packet sent from tracepath.

diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 3c42181..eb2cde8 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -472,7 +472,8 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
 	if (ct && nfqnl_ct_put(skb, ct, ctinfo) < 0)
 		goto nla_put_failure;
 
-	if (cap_len > 0 && nla_put_be32(skb, NFQA_CAP_LEN, htonl(cap_len)))
+	if (cap_len > data_len &&
+	    nla_put_be32(skb, NFQA_CAP_LEN, htonl(cap_len)))
 		goto nla_put_failure;
 
 	if (nfqnl_put_packet_info(skb, entskb))
-- 
1.7.8.6


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage
  2013-06-05  8:22 [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage Florian Westphal
  2013-06-05  8:22 ` [PATCH -next 2/2] netfilter: nfnetlink_queue: only add CAP_LEN attr when needed Florian Westphal
@ 2013-06-05 10:42 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-05 10:42 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Wed, Jun 05, 2013 at 10:22:15AM +0200, Florian Westphal wrote:
> For every packet queued, we check if configured copy_range
> is 0, and treat that as 'copy entire packet'.
> 
> We can move this check to the queue configuration, and can
> set copy_range appropriately.
> 
> Also, convert repetitive '0xffff - NLA_HDRLEN' to a macro.
> 
> [ queue initialization still used 0xffff, although its harmless
>   since the initial setting is overwritten on queue config ]

Applied, thanks Florian.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH -next 2/2] netfilter: nfnetlink_queue: only add CAP_LEN attr when needed
  2013-06-05  8:22 ` [PATCH -next 2/2] netfilter: nfnetlink_queue: only add CAP_LEN attr when needed Florian Westphal
@ 2013-06-05 10:43   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-05 10:43 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Wed, Jun 05, 2013 at 10:22:16AM +0200, Florian Westphal wrote:
> CAP_LEN contains the size of the network packet we're queueing to
> userspace, i.e. normally it is the same as the NFQA_PAYLOAD attribute len.
> 
> Include it only in the unlikely case when NFQA_PAYLOAD is truncated due
> to copy_range limitations.

Also applied, thanks!

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2013-06-05 10:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-05  8:22 [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage Florian Westphal
2013-06-05  8:22 ` [PATCH -next 2/2] netfilter: nfnetlink_queue: only add CAP_LEN attr when needed Florian Westphal
2013-06-05 10:43   ` Pablo Neira Ayuso
2013-06-05 10:42 ` [PATCH -next 1/2] netfilter: nf_queue: cleanup copy_range usage Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).