From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH RFC] nftables: fix surpression of "permission denied" errors
Date: Thu, 9 Jan 2014 18:40:25 +0100 [thread overview]
Message-ID: <20140109174025.GA18767@localhost> (raw)
In-Reply-To: <20140108205813.GA5186@macbook.localnet>
Hi Patrick,
On Wed, Jan 08, 2014 at 08:58:13PM +0000, Patrick McHardy wrote:
> commit 8ca6730e9c8fd59d8a03ae505777a8a6b97898b1
> Author: Patrick McHardy <kaber@trash.net>
> Date: Wed Jan 8 20:57:11 2014 +0000
>
> nftables: fix surpression of "permission denied" errors
>
> ntroduction of batch support broke displaying of EPERM since those are
> generated by the kernel before batch processing start and thus have the
> sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the
> command messages. Also only a single error message is generated for the
> entire batch.
>
> This patch fixes this by noting the batch sequence number and displaying
> the error for all commands since this is what would happen if the
> permission check was inside batch processing as every other check.
One error message per line can be too much if we have a big batch,
perhaps we can just point to the first rule in the batch and print
something like: "7 error suppressed.", similar to syslog, where 7 is
the number of rules that follow up after EPERM message.
BTW, with really really big batches, the kernel may fail to allocate
the acknowledgment. We discussed this already with David, and he
thinks it doesn't make sense to send such a big message back to
sender. We can add:
void netlink_ack_len(struct sk_buff *in_skb, struct nlmsghdr *nlh,
int err, int len)
where len specifies the length would be the original netlink header +
nfnetlink header, so the rules are not sent back to userspace.
Let me know, thanks!
next prev parent reply other threads:[~2014-01-09 17:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-08 20:58 [PATCH RFC] nftables: fix surpression of "permission denied" errors Patrick McHardy
2014-01-09 17:40 ` Pablo Neira Ayuso [this message]
2014-01-09 18:01 ` Patrick McHardy
2014-01-09 18:48 ` Pablo Neira Ayuso
2014-01-09 18:52 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140109174025.GA18767@localhost \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).