netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 1/3] netlink_linearize: fix range cmp instruction generation
@ 2015-06-02 10:57 Patrick McHardy
  2015-06-02 10:57 ` [PATCH 2/3] ct: add maximum helper length value Patrick McHardy
  2015-06-02 10:57 ` [PATCH 3/3] netlink_delinearize: remove obsolete fixme Patrick McHardy
  0 siblings, 2 replies; 3+ messages in thread
From: Patrick McHardy @ 2015-06-02 10:57 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel

The LHS expression is generated twice and the register not properly released.
Fix by calling netlink_gen_range() before generating the LHS.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 src/netlink_linearize.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 9bef67b..0a0b686 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -203,6 +203,9 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx,
 
 	assert(dreg == NFT_REG_VERDICT);
 
+	if (expr->right->ops->type == EXPR_RANGE)
+		return netlink_gen_range(ctx, expr, dreg);
+
 	sreg = get_register(ctx);
 	netlink_gen_expr(ctx, expr->left, sreg);
 
@@ -229,8 +232,6 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx,
 		right = expr->right->prefix;
 		break;
 		}
-	case EXPR_RANGE:
-		return netlink_gen_range(ctx, expr, dreg);
 	default:
 		right = expr->right;
 	}
-- 
2.1.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH 2/3] ct: add maximum helper length value
  2015-06-02 10:57 [PATCH 1/3] netlink_linearize: fix range cmp instruction generation Patrick McHardy
@ 2015-06-02 10:57 ` Patrick McHardy
  2015-06-02 10:57 ` [PATCH 3/3] netlink_delinearize: remove obsolete fixme Patrick McHardy
  1 sibling, 0 replies; 3+ messages in thread
From: Patrick McHardy @ 2015-06-02 10:57 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel

The current kernel restricts ct helper names to 16 bytes length. Specify
this limit in the ct expression table to catch oversized strings in userspace.
Since older versions of nft didn't support larger values, this does not
negatively affect interaction with old kernel versions.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 src/ct.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/ct.c b/src/ct.c
index 2eb85ea..aa80138 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -161,6 +161,10 @@ static void __init ct_label_table_init(void)
 	ct_label_tbl = rt_symbol_table_init("/etc/xtables/connlabel.conf");
 }
 
+#ifndef NF_CT_HELPER_NAME_LEN
+#define NF_CT_HELPER_NAME_LEN	16
+#endif
+
 static const struct ct_template ct_templates[] = {
 	[NFT_CT_STATE]		= CT_TEMPLATE("state",	    &ct_state_type,
 					      BYTEORDER_HOST_ENDIAN,
@@ -178,7 +182,8 @@ static const struct ct_template ct_templates[] = {
 					      BYTEORDER_HOST_ENDIAN,
 					      4 * BITS_PER_BYTE),
 	[NFT_CT_HELPER]		= CT_TEMPLATE("helper",	    &string_type,
-					      BYTEORDER_HOST_ENDIAN, 0),
+					      BYTEORDER_HOST_ENDIAN,
+					      NF_CT_HELPER_NAME_LEN * BITS_PER_BYTE),
 	[NFT_CT_L3PROTOCOL]	= CT_TEMPLATE("l3proto",    &invalid_type,
 					      BYTEORDER_INVALID,
 					      BITS_PER_BYTE),
-- 
2.1.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH 3/3] netlink_delinearize: remove obsolete fixme
  2015-06-02 10:57 [PATCH 1/3] netlink_linearize: fix range cmp instruction generation Patrick McHardy
  2015-06-02 10:57 ` [PATCH 2/3] ct: add maximum helper length value Patrick McHardy
@ 2015-06-02 10:57 ` Patrick McHardy
  1 sibling, 0 replies; 3+ messages in thread
From: Patrick McHardy @ 2015-06-02 10:57 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel

The FIXME was related to exclusion of string types from cmp length checks.
Since with fixed sized helper names the last case where this could happen
is gone, remove the FIXME and perform length checks on strings as well.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 src/netlink_delinearize.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index ec1a964..b23d587 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -166,9 +166,7 @@ static void netlink_parse_cmp(struct netlink_parse_ctx *ctx,
 	nld.value = nft_rule_expr_get(nle, NFT_EXPR_CMP_DATA, &nld.len);
 	right = netlink_alloc_value(loc, &nld);
 
-	// FIXME
-	if (left->len && left->dtype && left->dtype->type != TYPE_STRING &&
-	    left->len != right->len)
+	if (left->len != right->len)
 		return netlink_error(ctx, loc,
 				     "Relational expression size mismatch");
 
-- 
2.1.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-06-02 10:57 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-02 10:57 [PATCH 1/3] netlink_linearize: fix range cmp instruction generation Patrick McHardy
2015-06-02 10:57 ` [PATCH 2/3] ct: add maximum helper length value Patrick McHardy
2015-06-02 10:57 ` [PATCH 3/3] netlink_delinearize: remove obsolete fixme Patrick McHardy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).