* [PATCH] netfilter: nftables: fix nf_trace always-on with XT_TRACE=n
@ 2014-02-15 22:48 Florian Westphal
2014-02-16 10:20 ` Pablo Neira Ayuso
2014-02-17 10:40 ` Pablo Neira Ayuso
0 siblings, 2 replies; 7+ messages in thread
From: Florian Westphal @ 2014-02-15 22:48 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
When using nftables with CONFIG_NETFILTER_XT_TARGET_TRACE=n, we get
lots of "TRACE: filter:output:policy:1 IN=..." warnings as several
places will leave skb->nf_trace uninitialised.
Unlike iptables tracing functionality is not conditional in nftables,
so always copy/zero nf_trace setting when nftables is enabled.
Move this into __nf_copy() helper.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/linux/skbuff.h | 5 ++++-
net/core/skbuff.c | 3 ---
net/ipv4/ip_output.c | 3 ---
net/ipv6/ip6_output.c | 3 ---
4 files changed, 4 insertions(+), 10 deletions(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 1f689e6..99fc8b3 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2724,7 +2724,7 @@ static inline void nf_reset(struct sk_buff *skb)
static inline void nf_reset_trace(struct sk_buff *skb)
{
-#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
+#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)
skb->nf_trace = 0;
#endif
}
@@ -2741,6 +2741,9 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src)
dst->nf_bridge = src->nf_bridge;
nf_bridge_get(src->nf_bridge);
#endif
+#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)
+ dst->nf_trace = src->nf_trace;
+#endif
}
static inline void nf_copy(struct sk_buff *dst, const struct sk_buff *src)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 8f519db..875df74 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -705,9 +705,6 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
new->mark = old->mark;
new->skb_iif = old->skb_iif;
__nf_copy(new, old);
-#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
- new->nf_trace = old->nf_trace;
-#endif
#ifdef CONFIG_NET_SCHED
new->tc_index = old->tc_index;
#ifdef CONFIG_NET_CLS_ACT
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 8971780..73c6b63 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -422,9 +422,6 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
to->tc_index = from->tc_index;
#endif
nf_copy(to, from);
-#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
- to->nf_trace = from->nf_trace;
-#endif
#if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE)
to->ipvs_property = from->ipvs_property;
#endif
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index ef02b26..4cfbe0f 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -517,9 +517,6 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
to->tc_index = from->tc_index;
#endif
nf_copy(to, from);
-#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
- to->nf_trace = from->nf_trace;
-#endif
skb_copy_secmark(to, from);
}
--
1.8.1.5
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: nftables: fix nf_trace always-on with XT_TRACE=n
2014-02-15 22:48 [PATCH] netfilter: nftables: fix nf_trace always-on with XT_TRACE=n Florian Westphal
@ 2014-02-16 10:20 ` Pablo Neira Ayuso
2014-02-16 10:28 ` Florian Westphal
2014-02-17 10:40 ` Pablo Neira Ayuso
1 sibling, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2014-02-16 10:20 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
Hi Florian,
On Sat, Feb 15, 2014 at 11:48:45PM +0100, Florian Westphal wrote:
> When using nftables with CONFIG_NETFILTER_XT_TARGET_TRACE=n, we get
> lots of "TRACE: filter:output:policy:1 IN=..." warnings as several
> places will leave skb->nf_trace uninitialised.
Good catch.
> Unlike iptables tracing functionality is not conditional in nftables,
> so always copy/zero nf_trace setting when nftables is enabled.
>
> Move this into __nf_copy() helper.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> include/linux/skbuff.h | 5 ++++-
> net/core/skbuff.c | 3 ---
> net/ipv4/ip_output.c | 3 ---
> net/ipv6/ip6_output.c | 3 ---
> 4 files changed, 4 insertions(+), 10 deletions(-)
>
> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> index 1f689e6..99fc8b3 100644
> --- a/include/linux/skbuff.h
> +++ b/include/linux/skbuff.h
> @@ -2724,7 +2724,7 @@ static inline void nf_reset(struct sk_buff *skb)
>
> static inline void nf_reset_trace(struct sk_buff *skb)
> {
> -#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
> +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)
Perhaps you can add a generic CONFIG_NF_TRACE that is set by xt_trace
and nf_tables?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: nftables: fix nf_trace always-on with XT_TRACE=n
2014-02-16 10:20 ` Pablo Neira Ayuso
@ 2014-02-16 10:28 ` Florian Westphal
2014-02-16 10:43 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2014-02-16 10:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter-devel
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > static inline void nf_reset_trace(struct sk_buff *skb)
> > {
> > -#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
> > +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)
>
> Perhaps you can add a generic CONFIG_NF_TRACE that is set by xt_trace
> and nf_tables?
I could do that, sure, but I don't see the value in doing so.
After this patch the only place where we need to test for both
are the two places in skbuff.h.
Unless you want to make the nf_trace operations in nftables
conditional on CONFIG_NF_TRACE?
OTOH I think that trace support is a very important thing to have and I
doubt that compiling it out would save a lot of size.
But sure, if you think it makes sense I can add CONFIG_NF_TRACE and
make nf_tables tracing conditional.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: nftables: fix nf_trace always-on with XT_TRACE=n
2014-02-16 10:28 ` Florian Westphal
@ 2014-02-16 10:43 ` Pablo Neira Ayuso
2014-02-16 10:45 ` Patrick McHardy
2014-02-16 11:06 ` Florian Westphal
0 siblings, 2 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2014-02-16 10:43 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Sun, Feb 16, 2014 at 11:28:24AM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > static inline void nf_reset_trace(struct sk_buff *skb)
> > > {
> > > -#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
> > > +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)
> >
> > Perhaps you can add a generic CONFIG_NF_TRACE that is set by xt_trace
> > and nf_tables?
>
> I could do that, sure, but I don't see the value in doing so.
> After this patch the only place where we need to test for both
> are the two places in skbuff.h.
>
> Unless you want to make the nf_trace operations in nftables
> conditional on CONFIG_NF_TRACE?
No, that wasn't my intention.
> OTOH I think that trace support is a very important thing to have and I
> doubt that compiling it out would save a lot of size.
>
> But sure, if you think it makes sense I can add CONFIG_NF_TRACE and
> make nf_tables tracing conditional.
This is just a cosmetic comment, but I can live with that long #if
line. Leave it up to you to decide.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: nftables: fix nf_trace always-on with XT_TRACE=n
2014-02-16 10:43 ` Pablo Neira Ayuso
@ 2014-02-16 10:45 ` Patrick McHardy
2014-02-16 11:06 ` Florian Westphal
1 sibling, 0 replies; 7+ messages in thread
From: Patrick McHardy @ 2014-02-16 10:45 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter-devel
On Sun, Feb 16, 2014 at 11:43:11AM +0100, Pablo Neira Ayuso wrote:
> On Sun, Feb 16, 2014 at 11:28:24AM +0100, Florian Westphal wrote:
> > Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > > static inline void nf_reset_trace(struct sk_buff *skb)
> > > > {
> > > > -#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
> > > > +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)
> > >
> > > Perhaps you can add a generic CONFIG_NF_TRACE that is set by xt_trace
> > > and nf_tables?
> >
> > I could do that, sure, but I don't see the value in doing so.
> > After this patch the only place where we need to test for both
> > are the two places in skbuff.h.
> >
> > Unless you want to make the nf_trace operations in nftables
> > conditional on CONFIG_NF_TRACE?
>
> No, that wasn't my intention.
>
> > OTOH I think that trace support is a very important thing to have and I
> > doubt that compiling it out would save a lot of size.
> >
> > But sure, if you think it makes sense I can add CONFIG_NF_TRACE and
> > make nf_tables tracing conditional.
>
> This is just a cosmetic comment, but I can live with that long #if
> line. Leave it up to you to decide.
I intend to make nftables tracing use static keys, unless that turns out
not to reduce the overhead we can keep it unconditionally.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: nftables: fix nf_trace always-on with XT_TRACE=n
2014-02-16 10:43 ` Pablo Neira Ayuso
2014-02-16 10:45 ` Patrick McHardy
@ 2014-02-16 11:06 ` Florian Westphal
1 sibling, 0 replies; 7+ messages in thread
From: Florian Westphal @ 2014-02-16 11:06 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter-devel
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > OTOH I think that trace support is a very important thing to have and I
> > doubt that compiling it out would save a lot of size.
> >
> > But sure, if you think it makes sense I can add CONFIG_NF_TRACE and
> > make nf_tables tracing conditional.
>
> This is just a cosmetic comment, but I can live with that long #if
> line. Leave it up to you to decide.
I see. I that case please consider applying the present patch.
I think adding extra kconfig symbol just for the sake of avoiding
two longer IS_ENABLED() statements is plain overkill :-)
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: nftables: fix nf_trace always-on with XT_TRACE=n
2014-02-15 22:48 [PATCH] netfilter: nftables: fix nf_trace always-on with XT_TRACE=n Florian Westphal
2014-02-16 10:20 ` Pablo Neira Ayuso
@ 2014-02-17 10:40 ` Pablo Neira Ayuso
1 sibling, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2014-02-17 10:40 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Sat, Feb 15, 2014 at 11:48:45PM +0100, Florian Westphal wrote:
> When using nftables with CONFIG_NETFILTER_XT_TARGET_TRACE=n, we get
> lots of "TRACE: filter:output:policy:1 IN=..." warnings as several
> places will leave skb->nf_trace uninitialised.
>
> Unlike iptables tracing functionality is not conditional in nftables,
> so always copy/zero nf_trace setting when nftables is enabled.
>
> Move this into __nf_copy() helper.
Applied, thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-02-17 10:40 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-15 22:48 [PATCH] netfilter: nftables: fix nf_trace always-on with XT_TRACE=n Florian Westphal
2014-02-16 10:20 ` Pablo Neira Ayuso
2014-02-16 10:28 ` Florian Westphal
2014-02-16 10:43 ` Pablo Neira Ayuso
2014-02-16 10:45 ` Patrick McHardy
2014-02-16 11:06 ` Florian Westphal
2014-02-17 10:40 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).