[PATCH nf-next 1/2] netfilter: pkttype: unnecessary to check ipv6 multicast address

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH nf-next 1/2] netfilter: pkttype: unnecessary to check ipv6 multicast address
@ 2017-01-07 13:33 Liping Zhang
  2017-01-07 13:33 ` [PATCH nf-next 2/2] netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family Liping Zhang
  2017-01-18 19:33 ` [PATCH nf-next 1/2] netfilter: pkttype: unnecessary to check ipv6 multicast address Pablo Neira Ayuso
  0 siblings, 2 replies; 4+ messages in thread
From: Liping Zhang @ 2017-01-07 13:33 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, Liping Zhang

From: Liping Zhang <zlpnobody@gmail.com>

Since there's no broadcast address in IPV6, so in ipv6 family, the
PACKET_LOOPBACK must be multicast packets, there's no need to check
it again.

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
---
 net/netfilter/nft_meta.c   | 5 +----
 net/netfilter/xt_pkttype.c | 3 +--
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 66c7f4b..9a22b24 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -154,10 +154,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
 				*dest = PACKET_BROADCAST;
 			break;
 		case NFPROTO_IPV6:
-			if (ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF)
-				*dest = PACKET_MULTICAST;
-			else
-				*dest = PACKET_BROADCAST;
+			*dest = PACKET_MULTICAST;
 			break;
 		default:
 			WARN_ON(1);
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 57efb70..1ef9915 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -33,8 +33,7 @@ pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	else if (xt_family(par) == NFPROTO_IPV4 &&
 	    ipv4_is_multicast(ip_hdr(skb)->daddr))
 		type = PACKET_MULTICAST;
-	else if (xt_family(par) == NFPROTO_IPV6 &&
-	    ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF)
+	else if (xt_family(par) == NFPROTO_IPV6)
 		type = PACKET_MULTICAST;
 	else
 		type = PACKET_BROADCAST;
-- 
2.5.5



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH nf-next 2/2] netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family
  2017-01-07 13:33 [PATCH nf-next 1/2] netfilter: pkttype: unnecessary to check ipv6 multicast address Liping Zhang
@ 2017-01-07 13:33 ` Liping Zhang
  2017-01-18 19:33   ` Pablo Neira Ayuso
  2017-01-18 19:33 ` [PATCH nf-next 1/2] netfilter: pkttype: unnecessary to check ipv6 multicast address Pablo Neira Ayuso
  1 sibling, 1 reply; 4+ messages in thread
From: Liping Zhang @ 2017-01-07 13:33 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, Liping Zhang

From: Liping Zhang <zlpnobody@gmail.com>

After adding the following nft rule, then ping 224.0.0.1:
  # nft add rule netdev t c pkttype host counter

The warning complain message will be printed out again and again:
  WARNING: CPU: 0 PID: 10182 at net/netfilter/nft_meta.c:163 \
           nft_meta_get_eval+0x3fe/0x460 [nft_meta]
  [...]
  Call Trace:
  <IRQ>
  dump_stack+0x85/0xc2
  __warn+0xcb/0xf0
  warn_slowpath_null+0x1d/0x20
  nft_meta_get_eval+0x3fe/0x460 [nft_meta]
  nft_do_chain+0xff/0x5e0 [nf_tables]

So we should deal with PACKET_LOOPBACK in netdev family too. For ipv4,
convert it to PACKET_BROADCAST/MULTICAST according to the destination
address's type; For ipv6, convert it to PACKET_MULTICAST directly.

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
---
 net/netfilter/nft_meta.c | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 9a22b24..e1f5ca9 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -156,8 +156,34 @@ void nft_meta_get_eval(const struct nft_expr *expr,
 		case NFPROTO_IPV6:
 			*dest = PACKET_MULTICAST;
 			break;
+		case NFPROTO_NETDEV:
+			switch (skb->protocol) {
+			case htons(ETH_P_IP): {
+				int noff = skb_network_offset(skb);
+				struct iphdr *iph, _iph;
+
+				iph = skb_header_pointer(skb, noff,
+							 sizeof(_iph), &_iph);
+				if (!iph)
+					goto err;
+
+				if (ipv4_is_multicast(iph->daddr))
+					*dest = PACKET_MULTICAST;
+				else
+					*dest = PACKET_BROADCAST;
+
+				break;
+			}
+			case htons(ETH_P_IPV6):
+				*dest = PACKET_MULTICAST;
+				break;
+			default:
+				WARN_ON_ONCE(1);
+				goto err;
+			}
+			break;
 		default:
-			WARN_ON(1);
+			WARN_ON_ONCE(1);
 			goto err;
 		}
 		break;
-- 
2.5.5



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH nf-next 1/2] netfilter: pkttype: unnecessary to check ipv6 multicast address
  2017-01-07 13:33 [PATCH nf-next 1/2] netfilter: pkttype: unnecessary to check ipv6 multicast address Liping Zhang
  2017-01-07 13:33 ` [PATCH nf-next 2/2] netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family Liping Zhang
@ 2017-01-18 19:33 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2017-01-18 19:33 UTC (permalink / raw)
  To: Liping Zhang; +Cc: netfilter-devel, Liping Zhang

On Sat, Jan 07, 2017 at 09:33:54PM +0800, Liping Zhang wrote:
> From: Liping Zhang <zlpnobody@gmail.com>
> 
> Since there's no broadcast address in IPV6, so in ipv6 family, the
> PACKET_LOOPBACK must be multicast packets, there's no need to check
> it again.

Applied, thanks Liping.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH nf-next 2/2] netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family
  2017-01-07 13:33 ` [PATCH nf-next 2/2] netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family Liping Zhang
@ 2017-01-18 19:33   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2017-01-18 19:33 UTC (permalink / raw)
  To: Liping Zhang; +Cc: netfilter-devel, Liping Zhang

On Sat, Jan 07, 2017 at 09:33:55PM +0800, Liping Zhang wrote:
> From: Liping Zhang <zlpnobody@gmail.com>
> 
> After adding the following nft rule, then ping 224.0.0.1:
>   # nft add rule netdev t c pkttype host counter
> 
> The warning complain message will be printed out again and again:
>   WARNING: CPU: 0 PID: 10182 at net/netfilter/nft_meta.c:163 \
>            nft_meta_get_eval+0x3fe/0x460 [nft_meta]
>   [...]
>   Call Trace:
>   <IRQ>
>   dump_stack+0x85/0xc2
>   __warn+0xcb/0xf0
>   warn_slowpath_null+0x1d/0x20
>   nft_meta_get_eval+0x3fe/0x460 [nft_meta]
>   nft_do_chain+0xff/0x5e0 [nf_tables]
> 
> So we should deal with PACKET_LOOPBACK in netdev family too. For ipv4,
> convert it to PACKET_BROADCAST/MULTICAST according to the destination
> address's type; For ipv6, convert it to PACKET_MULTICAST directly.

Also applied, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-01-18 19:42 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-07 13:33 [PATCH nf-next 1/2] netfilter: pkttype: unnecessary to check ipv6 multicast address Liping Zhang
2017-01-07 13:33 ` [PATCH nf-next 2/2] netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family Liping Zhang
2017-01-18 19:33   ` Pablo Neira Ayuso
2017-01-18 19:33 ` [PATCH nf-next 1/2] netfilter: pkttype: unnecessary to check ipv6 multicast address Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).