From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: netdev@vger.kernel.org, davem@davemloft.net, fw@strlen.de,
dborkman@iogearbox.net, pablo@netfilter.org,
Willem de Bruijn <willemb@google.com>
Subject: [PATCH nf-next 0/7] xtables: use dedicated copy_to_user helpers
Date: Mon, 2 Jan 2017 17:19:39 -0500 [thread overview]
Message-ID: <1483395586-105774-1-git-send-email-willemdebruijn.kernel@gmail.com> (raw)
From: Willem de Bruijn <willemb@google.com>
xtables list and save interfaces share xt_match and xt_target state
with userspace. The kernel and userspace definitions of these structs
differ. Currently, the structs are copied wholesale, then patched up.
The match and target structs contain a kernel pointer. Type-specific
data may contain additional kernel-only state.
Introduce xt_match_to_user and xt_target_to_user helper functions to
copy only fields intended to be shared with userspace.
Introduce xt_data_to_user to do the same for type-specific state. Add
a field .usersize to xt_match and xt_target to define the range of
bytes in .matchsize that should be shared with userspace. All matches
and targets that define kernel-only data store this at the tail of
their struct.
Tested:
Ran iptables-test.py from iptables.git, with both a 64-bit and
32-bit compat binary. 603/603 tests passed both before and after
the patches (out of 705, but some CONFIGs were not enabled).
Also ran the following example queries manually, again using 64-bit
and 32-bit compat paths:
iptables -A INPUT -m string --algo bm --string 'xxx' -j LOG
iptables -L
iptables-save
ip6tables -A INPUT -m string --algo bm --string 'xxx' -j LOG
ip6tables -L
ip6tables-save
ebtables -A INPUT --limit 3 -j ACCEPT
ebtables -L
arptables -A INPUT --source-mac 00:11:22:33:44:55 -j ACCEPT
arptables -L
An instrumented binary that initializes its buffer with 0x66 bytes
shows the result of the patchset.
iptables LOG target in hex before and after. The xt_target struct
only has its size, name and revision specified. Trailing bytes in
the name field are not zeroed:
40 00 4c 4f 47 00 00 00
40 e1 0a a0 ff ff ff ff
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
04 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
40 00 4c 4f 47 00 66 66
66 66 66 66 66 66 66 66
66 66 66 66 66 66 66 66
66 66 66 66 66 66 66 00
04 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
ebtables limit match in hex before and after. Only the avg and burst
fields of ebt_limit_info are shared.
6c 69 6d 69 74 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
20 00 00 00 00 00 00 00
05 0d 00 00 05 00 00 00
66 de fc ff 00 00 00 00
50 d0 00 00 50 d0 00 00
a9 29 00 00 00 00 00 00
6c 69 6d 69 74 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
20 00 00 00 00 00 00 00
05 0d 00 00 05 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
Willem de Bruijn (7):
xtables: add xt_match, xt_target and data copy_to_user functions
iptables: use match, target and data copy_to_user helpers
ip6tables: use match, target and data copy_to_user helpers
arptables: use match, target and data copy_to_user helpers
ebtables: use match, target and data copy_to_user helpers
xtables: use match, target and data copy_to_user helpers in compat
xtables: extend matches and targets with .usersize
include/linux/netfilter/x_tables.h | 9 +++++
net/bridge/netfilter/ebt_limit.c | 1 +
net/bridge/netfilter/ebtables.c | 78 +++++++++++++++++++++++---------------
net/ipv4/netfilter/arp_tables.c | 15 +++-----
net/ipv4/netfilter/ip_tables.c | 21 +++-------
net/ipv4/netfilter/ipt_CLUSTERIP.c | 1 +
net/ipv6/netfilter/ip6_tables.c | 21 +++-------
net/ipv6/netfilter/ip6t_NPT.c | 2 +
net/netfilter/x_tables.c | 68 ++++++++++++++++++++++++++++-----
net/netfilter/xt_CT.c | 3 ++
net/netfilter/xt_RATEEST.c | 1 +
net/netfilter/xt_TEE.c | 2 +
net/netfilter/xt_bpf.c | 2 +
net/netfilter/xt_cgroup.c | 1 +
net/netfilter/xt_connlimit.c | 1 +
net/netfilter/xt_hashlimit.c | 4 ++
net/netfilter/xt_limit.c | 2 +
net/netfilter/xt_quota.c | 1 +
net/netfilter/xt_rateest.c | 1 +
net/netfilter/xt_string.c | 1 +
20 files changed, 154 insertions(+), 81 deletions(-)
--
2.8.0.rc3.226.g39d4020
next reply other threads:[~2017-01-02 22:19 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-02 22:19 Willem de Bruijn [this message]
2017-01-02 22:19 ` [PATCH nf-next 1/7] xtables: add xt_match, xt_target and data copy_to_user functions Willem de Bruijn
2017-01-02 22:19 ` [PATCH nf-next 2/7] iptables: use match, target and data copy_to_user helpers Willem de Bruijn
2017-01-02 22:19 ` [PATCH nf-next 3/7] ip6tables: " Willem de Bruijn
2017-01-02 22:19 ` [PATCH nf-next 4/7] arptables: " Willem de Bruijn
2017-01-02 22:19 ` [PATCH nf-next 5/7] ebtables: " Willem de Bruijn
2017-01-02 22:19 ` [PATCH nf-next 6/7] xtables: use match, target and data copy_to_user helpers in compat Willem de Bruijn
2017-01-02 22:19 ` [PATCH nf-next 7/7] xtables: extend matches and targets with .usersize Willem de Bruijn
2017-01-09 16:30 ` [PATCH nf-next 0/7] xtables: use dedicated copy_to_user helpers Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1483395586-105774-1-git-send-email-willemdebruijn.kernel@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=davem@davemloft.net \
--cc=dborkman@iogearbox.net \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).