[PATCH 1/4] netfilter: nf_tables: use RCU-safe list insertion when replacing rules

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 1/4] netfilter: nf_tables: use RCU-safe list insertion when replacing rules
@ 2014-06-10  8:53 Pablo Neira Ayuso
  2014-06-10  8:53 ` [PATCH 2/4] netfilter: nf_tables: use u32 for chain use counter Pablo Neira Ayuso
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2014-06-10  8:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: kaber

The patch 5e94846 ("netfilter: nf_tables: add insert operation") did
not include RCU-safe list insertion when replacing rules.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 624e083..ba37c10 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1796,7 +1796,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 				goto err2;
 			}
 			nft_rule_disactivate_next(net, old_rule);
-			list_add_tail(&rule->list, &old_rule->list);
+			list_add_tail_rcu(&rule->list, &old_rule->list);
 		} else {
 			err = -ENOENT;
 			goto err2;
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/4] netfilter: nf_tables: use u32 for chain use counter
  2014-06-10  8:53 [PATCH 1/4] netfilter: nf_tables: use RCU-safe list insertion when replacing rules Pablo Neira Ayuso
@ 2014-06-10  8:53 ` Pablo Neira Ayuso
  2014-06-10  8:53 ` [PATCH 3/4] netfilter: nf_tables: decrement chain use counter when replacing rules Pablo Neira Ayuso
  2014-06-10  8:53 ` [PATCH 4/4] netfilter: nf_tables: fix wrong type in transaction " Pablo Neira Ayuso
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2014-06-10  8:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: kaber

Since 4fefee5 ("netfilter: nf_tables: allow to delete several objects
from a batch"), every new rule bumps the chain use counter. However,
this is limited to 16 bits, which means that it will overrun after
2^16 rules.

Use a u32 chain counter and check for overflows (just like we do for
table objects).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/net/netfilter/nf_tables.h |    6 +++---
 net/netfilter/nf_tables_api.c     |    3 +++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 7ee6ce6..713b0b8 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -503,9 +503,9 @@ enum nft_chain_flags {
  *	@net: net namespace that this chain belongs to
  *	@table: table that this chain belongs to
  *	@handle: chain handle
- *	@flags: bitmask of enum nft_chain_flags
  *	@use: number of jump references to this chain
  *	@level: length of longest path to this chain
+ *	@flags: bitmask of enum nft_chain_flags
  *	@name: name of the chain
  */
 struct nft_chain {
@@ -514,9 +514,9 @@ struct nft_chain {
 	struct net			*net;
 	struct nft_table		*table;
 	u64				handle;
-	u8				flags;
-	u16				use;
+	u32				use;
 	u16				level;
+	u8				flags;
 	char				name[NFT_CHAIN_MAXNAMELEN];
 };
 
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index ba37c10..5586426 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1730,6 +1730,9 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 		if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
 			return -EINVAL;
 		handle = nf_tables_alloc_handle(table);
+
+		if (chain->use == UINT_MAX)
+			return -EOVERFLOW;
 	}
 
 	if (nla[NFTA_RULE_POSITION]) {
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 3/4] netfilter: nf_tables: decrement chain use counter when replacing rules
  2014-06-10  8:53 [PATCH 1/4] netfilter: nf_tables: use RCU-safe list insertion when replacing rules Pablo Neira Ayuso
  2014-06-10  8:53 ` [PATCH 2/4] netfilter: nf_tables: use u32 for chain use counter Pablo Neira Ayuso
@ 2014-06-10  8:53 ` Pablo Neira Ayuso
  2014-06-10  8:53 ` [PATCH 4/4] netfilter: nf_tables: fix wrong type in transaction " Pablo Neira Ayuso
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2014-06-10  8:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: kaber

Thus, the chain use counter remains with the same value after the
rule replacement.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 5586426..19f438d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1799,6 +1799,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 				goto err2;
 			}
 			nft_rule_disactivate_next(net, old_rule);
+			chain->use--;
 			list_add_tail_rcu(&rule->list, &old_rule->list);
 		} else {
 			err = -ENOENT;
@@ -1829,6 +1830,7 @@ err3:
 		list_del_rcu(&nft_trans_rule(trans)->list);
 		nft_rule_clear(net, nft_trans_rule(trans));
 		nft_trans_destroy(trans);
+		chain->use++;
 	}
 err2:
 	nf_tables_rule_destroy(&ctx, rule);
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 4/4] netfilter: nf_tables: fix wrong type in transaction when replacing rules
  2014-06-10  8:53 [PATCH 1/4] netfilter: nf_tables: use RCU-safe list insertion when replacing rules Pablo Neira Ayuso
  2014-06-10  8:53 ` [PATCH 2/4] netfilter: nf_tables: use u32 for chain use counter Pablo Neira Ayuso
  2014-06-10  8:53 ` [PATCH 3/4] netfilter: nf_tables: decrement chain use counter when replacing rules Pablo Neira Ayuso
@ 2014-06-10  8:53 ` Pablo Neira Ayuso
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2014-06-10  8:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: kaber

In b380e5c ("netfilter: nf_tables: add message type to transactions"),
I used the wrong message type in the rule replacement case. The rule
that is replaced needs to be handled as a deleted rule.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 19f438d..39369ea 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1792,7 +1792,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 
 	if (nlh->nlmsg_flags & NLM_F_REPLACE) {
 		if (nft_rule_is_active_next(net, old_rule)) {
-			trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE,
+			trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
 						   old_rule);
 			if (trans == NULL) {
 				err = -ENOMEM;
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2014-06-10  8:53 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-06-10  8:53 [PATCH 1/4] netfilter: nf_tables: use RCU-safe list insertion when replacing rules Pablo Neira Ayuso
2014-06-10  8:53 ` [PATCH 2/4] netfilter: nf_tables: use u32 for chain use counter Pablo Neira Ayuso
2014-06-10  8:53 ` [PATCH 3/4] netfilter: nf_tables: decrement chain use counter when replacing rules Pablo Neira Ayuso
2014-06-10  8:53 ` [PATCH 4/4] netfilter: nf_tables: fix wrong type in transaction " Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).