From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 8/9] Revert "netfilter: xtables: compute exact size needed for jumpstack"
Date: Sat, 29 Aug 2015 00:50:16 +0200 [thread overview]
Message-ID: <1440802217-13080-9-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1440802217-13080-1-git-send-email-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
This reverts commit 98d1bd802cdbc8f56868fae51edec13e86b59515.
mark_source_chains will not re-visit chains, so
*filter
:INPUT ACCEPT [365:25776]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [217:45832]
:t1 - [0:0]
:t2 - [0:0]
:t3 - [0:0]
:t4 - [0:0]
-A t1 -i lo -j t2
-A t2 -i lo -j t3
-A t3 -i lo -j t4
# -A INPUT -j t4
# -A INPUT -j t3
# -A INPUT -j t2
-A INPUT -j t1
COMMIT
Will compute a chain depth of 2 if the comments are removed.
Revert back to counting the number of chains for the time being.
Reported-by: Cong Wang <cwang@twopensource.com>
Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/netfilter/arp_tables.c | 19 +++++++------------
net/ipv4/netfilter/ip_tables.c | 28 ++++++++++------------------
net/ipv6/netfilter/ip6_tables.c | 23 ++++++++---------------
3 files changed, 25 insertions(+), 45 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index c416cb3..8f87fc3 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -367,13 +367,10 @@ static inline bool unconditional(const struct arpt_arp *arp)
/* Figures out from what hook each rule can be called: returns 0 if
* there are loops. Puts hook bitmask in comefrom.
- *
- * Keeps track of largest call depth seen and stores it in newinfo->stacksize.
*/
-static int mark_source_chains(struct xt_table_info *newinfo,
+static int mark_source_chains(const struct xt_table_info *newinfo,
unsigned int valid_hooks, void *entry0)
{
- unsigned int calldepth, max_calldepth = 0;
unsigned int hook;
/* No recursion; use packet counter to save back ptrs (reset
@@ -389,7 +386,6 @@ static int mark_source_chains(struct xt_table_info *newinfo,
/* Set initial back pointer. */
e->counters.pcnt = pos;
- calldepth = 0;
for (;;) {
const struct xt_standard_target *t
@@ -444,8 +440,6 @@ static int mark_source_chains(struct xt_table_info *newinfo,
(entry0 + pos + size);
e->counters.pcnt = pos;
pos += size;
- if (calldepth > 0)
- --calldepth;
} else {
int newpos = t->verdict;
@@ -460,10 +454,6 @@ static int mark_source_chains(struct xt_table_info *newinfo,
return 0;
}
- if (entry0 + newpos != arpt_next_entry(e) &&
- ++calldepth > max_calldepth)
- max_calldepth = calldepth;
-
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
@@ -480,7 +470,6 @@ static int mark_source_chains(struct xt_table_info *newinfo,
next:
duprintf("Finished chain %u\n", hook);
}
- newinfo->stacksize = max_calldepth;
return 1;
}
@@ -670,6 +659,9 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
if (ret != 0)
break;
++i;
+ if (strcmp(arpt_get_target(iter)->u.user.name,
+ XT_ERROR_TARGET) == 0)
+ ++newinfo->stacksize;
}
duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
if (ret != 0)
@@ -1442,6 +1434,9 @@ static int translate_compat_table(const char *name,
break;
}
++i;
+ if (strcmp(arpt_get_target(iter1)->u.user.name,
+ XT_ERROR_TARGET) == 0)
+ ++newinfo->stacksize;
}
if (ret) {
/*
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 787f99e..b0a86e7 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -443,15 +443,11 @@ ipt_do_table(struct sk_buff *skb,
}
/* Figures out from what hook each rule can be called: returns 0 if
- * there are loops. Puts hook bitmask in comefrom.
- *
- * Keeps track of largest call depth seen and stores it in newinfo->stacksize.
- */
+ there are loops. Puts hook bitmask in comefrom. */
static int
-mark_source_chains(struct xt_table_info *newinfo,
+mark_source_chains(const struct xt_table_info *newinfo,
unsigned int valid_hooks, void *entry0)
{
- unsigned int calldepth, max_calldepth = 0;
unsigned int hook;
/* No recursion; use packet counter to save back ptrs (reset
@@ -465,7 +461,6 @@ mark_source_chains(struct xt_table_info *newinfo,
/* Set initial back pointer. */
e->counters.pcnt = pos;
- calldepth = 0;
for (;;) {
const struct xt_standard_target *t
@@ -527,9 +522,6 @@ mark_source_chains(struct xt_table_info *newinfo,
(entry0 + pos + size);
e->counters.pcnt = pos;
pos += size;
- WARN_ON_ONCE(calldepth == 0);
- if (calldepth > 0)
- --calldepth;
} else {
int newpos = t->verdict;
@@ -543,14 +535,9 @@ mark_source_chains(struct xt_table_info *newinfo,
newpos);
return 0;
}
- if (entry0 + newpos != ipt_next_entry(e) &&
- !(e->ip.flags & IPT_F_GOTO) &&
- ++calldepth > max_calldepth)
- max_calldepth = calldepth;
-
/* This a jump; chase it. */
- duprintf("Jump rule %u -> %u, calldepth %d\n",
- pos, newpos, calldepth);
+ duprintf("Jump rule %u -> %u\n",
+ pos, newpos);
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
@@ -564,7 +551,6 @@ mark_source_chains(struct xt_table_info *newinfo,
next:
duprintf("Finished chain %u\n", hook);
}
- newinfo->stacksize = max_calldepth;
return 1;
}
@@ -844,6 +830,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
if (ret != 0)
return ret;
++i;
+ if (strcmp(ipt_get_target(iter)->u.user.name,
+ XT_ERROR_TARGET) == 0)
+ ++newinfo->stacksize;
}
if (i != repl->num_entries) {
@@ -1759,6 +1748,9 @@ translate_compat_table(struct net *net,
if (ret != 0)
break;
++i;
+ if (strcmp(ipt_get_target(iter1)->u.user.name,
+ XT_ERROR_TARGET) == 0)
+ ++newinfo->stacksize;
}
if (ret) {
/*
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 4e21f80..0771991 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -455,15 +455,11 @@ ip6t_do_table(struct sk_buff *skb,
}
/* Figures out from what hook each rule can be called: returns 0 if
- * there are loops. Puts hook bitmask in comefrom.
- *
- * Keeps track of largest call depth seen and stores it in newinfo->stacksize.
- */
+ there are loops. Puts hook bitmask in comefrom. */
static int
-mark_source_chains(struct xt_table_info *newinfo,
+mark_source_chains(const struct xt_table_info *newinfo,
unsigned int valid_hooks, void *entry0)
{
- unsigned int calldepth, max_calldepth = 0;
unsigned int hook;
/* No recursion; use packet counter to save back ptrs (reset
@@ -477,7 +473,6 @@ mark_source_chains(struct xt_table_info *newinfo,
/* Set initial back pointer. */
e->counters.pcnt = pos;
- calldepth = 0;
for (;;) {
const struct xt_standard_target *t
@@ -539,8 +534,6 @@ mark_source_chains(struct xt_table_info *newinfo,
(entry0 + pos + size);
e->counters.pcnt = pos;
pos += size;
- if (calldepth > 0)
- --calldepth;
} else {
int newpos = t->verdict;
@@ -554,11 +547,6 @@ mark_source_chains(struct xt_table_info *newinfo,
newpos);
return 0;
}
- if (entry0 + newpos != ip6t_next_entry(e) &&
- !(e->ipv6.flags & IP6T_F_GOTO) &&
- ++calldepth > max_calldepth)
- max_calldepth = calldepth;
-
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
@@ -575,7 +563,6 @@ mark_source_chains(struct xt_table_info *newinfo,
next:
duprintf("Finished chain %u\n", hook);
}
- newinfo->stacksize = max_calldepth;
return 1;
}
@@ -855,6 +842,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
if (ret != 0)
return ret;
++i;
+ if (strcmp(ip6t_get_target(iter)->u.user.name,
+ XT_ERROR_TARGET) == 0)
+ ++newinfo->stacksize;
}
if (i != repl->num_entries) {
@@ -1767,6 +1757,9 @@ translate_compat_table(struct net *net,
if (ret != 0)
break;
++i;
+ if (strcmp(ip6t_get_target(iter1)->u.user.name,
+ XT_ERROR_TARGET) == 0)
+ ++newinfo->stacksize;
}
if (ret) {
/*
--
1.7.10.4
next prev parent reply other threads:[~2015-08-28 22:44 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-28 22:50 [PATCH 0/9] Netfilter updates for net-next Pablo Neira Ayuso
2015-08-28 22:50 ` [PATCH 1/9] ipvs: Add ovf scheduler Pablo Neira Ayuso
2015-08-28 22:50 ` [PATCH 2/9] ipvs: call rtnl_lock early Pablo Neira Ayuso
2015-08-28 22:50 ` [PATCH 3/9] ipvs: add sync_maxlen parameter for the sync daemon Pablo Neira Ayuso
2015-08-28 22:50 ` [PATCH 4/9] ipvs: add more mcast parameters " Pablo Neira Ayuso
2015-08-28 22:50 ` [PATCH 5/9] netfilter: nf_dup: fix sparse warnings Pablo Neira Ayuso
2015-08-28 22:50 ` [PATCH 6/9] netfilter: xt_TEE: use IS_ENABLED(CONFIG_NF_DUP_IPV6) Pablo Neira Ayuso
2015-08-28 22:50 ` [PATCH 7/9] netfilter: ip6t_REJECT: added missing icmpv6 codes Pablo Neira Ayuso
2015-08-28 22:50 ` Pablo Neira Ayuso [this message]
2015-08-28 22:50 ` [PATCH 9/9] netfilter: reduce sparse warnings Pablo Neira Ayuso
2015-08-28 23:30 ` [PATCH 0/9] Netfilter updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1440802217-13080-9-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).