Re: tproxy: added IPv6 support to the socket match

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Re: tproxy: added IPv6 support to the socket match
       [not found] <201010231923.o9NJNK9U013494@hera.kernel.org>
@ 2010-10-28 18:51 ` Geert Uytterhoeven
  2010-10-28 20:00   ` David Miller
  0 siblings, 1 reply; 3+ messages in thread
From: Geert Uytterhoeven @ 2010-10-28 18:51 UTC (permalink / raw)
  To: Balazs Scheidler, KOVACS Krisztian, Patrick McHardy,
	Andrew Morton
  Cc: Linux Kernel Mailing List, netfilter-devel

On Sat, Oct 23, 2010 at 21:23, Linux Kernel Mailing List
<linux-kernel@vger.kernel.org> wrote:
> Gitweb:     http://git.kernel.org/linus/b64c9256a9b76fc9f059f71bd08ba88fb0cbba2e
> Commit:     b64c9256a9b76fc9f059f71bd08ba88fb0cbba2e
> Parent:     6ad7889327a5ee6ab4220bd34e4428c7d0de0f32
> Author:     Balazs Scheidler <bazsi@balabit.hu>
> AuthorDate: Thu Oct 21 16:19:42 2010 +0200
> Committer:  Patrick McHardy <kaber@trash.net>
> CommitDate: Thu Oct 21 16:19:42 2010 +0200
>
>    tproxy: added IPv6 support to the socket match
>
>    The ICMP extraction bits were contributed by Harry Mason.
>
>    Signed-off-by: Balazs Scheidler <bazsi@balabit.hu>
>    Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
>    Signed-off-by: Patrick McHardy <kaber@trash.net>
> ---
>  net/netfilter/xt_socket.c |  165 ++++++++++++++++++++++++++++++++++++++++++---
>  1 files changed, 154 insertions(+), 11 deletions(-)
>
> diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
> index 266faa0..2dbd4c8 100644
> --- a/net/netfilter/xt_socket.c
> +++ b/net/netfilter/xt_socket.c

> +static bool
> +socket_mt6_v1(const struct sk_buff *skb, struct xt_action_param *par)
> +{
> +       struct ipv6hdr *iph = ipv6_hdr(skb);
> +       struct udphdr _hdr, *hp = NULL;
> +       struct sock *sk;
> +       struct in6_addr *daddr, *saddr;
> +       __be16 dport, sport;
> +       int thoff;
> +       u8 tproto;

tproto is unsigned...

> +       const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
> +
> +       tproto = ipv6_find_hdr(skb, &thoff, -1, NULL);

but ipv6_find_hdr() returns int, and negative values for errors...

> +       if (tproto < 0) {

which it can never catch.

> +               pr_debug("unable to find transport header in IPv6 packet, dropping\n");
> +               return NF_DROP;
> +       }

net/netfilter/xt_socket.c:256: warning: comparison is always false due
to limited range of data type

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: tproxy: added IPv6 support to the socket match
  2010-10-28 18:51 ` tproxy: added IPv6 support to the socket match Geert Uytterhoeven
@ 2010-10-28 20:00   ` David Miller
  2010-10-29 14:31     ` Patrick McHardy
  0 siblings, 1 reply; 3+ messages in thread
From: David Miller @ 2010-10-28 20:00 UTC (permalink / raw)
  To: geert; +Cc: bazsi, hidden, kaber, akpm, linux-kernel, netfilter-devel

From: Geert Uytterhoeven <geert@linux-m68k.org>
Date: Thu, 28 Oct 2010 20:51:43 +0200

>> +       u8 tproto;
> 
> tproto is unsigned...
> 
>> +       const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
>> +
>> +       tproto = ipv6_find_hdr(skb, &thoff, -1, NULL);
> 
> but ipv6_find_hdr() returns int, and negative values for errors...

Thanks Geert, I'll fix it like so:

--------------------
netfilter: xt_socket: Make tproto signed in socket_mt6_v1().

Otherwise error indications from ipv6_find_hdr() won't be noticed.

This required making the protocol argument to extract_icmp6_fields()
signed too.

Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/netfilter/xt_socket.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index d94a858..00d6ae8 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -195,7 +195,7 @@ socket_mt4_v1(const struct sk_buff *skb, struct xt_action_param *par)
 static int
 extract_icmp6_fields(const struct sk_buff *skb,
 		     unsigned int outside_hdrlen,
-		     u8 *protocol,
+		     int *protocol,
 		     struct in6_addr **raddr,
 		     struct in6_addr **laddr,
 		     __be16 *rport,
@@ -252,8 +252,7 @@ socket_mt6_v1(const struct sk_buff *skb, struct xt_action_param *par)
 	struct sock *sk;
 	struct in6_addr *daddr, *saddr;
 	__be16 dport, sport;
-	int thoff;
-	u8 tproto;
+	int thoff, tproto;
 	const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
 
 	tproto = ipv6_find_hdr(skb, &thoff, -1, NULL);
@@ -305,7 +304,7 @@ socket_mt6_v1(const struct sk_buff *skb, struct xt_action_param *par)
 			sk = NULL;
 	}
 
-	pr_debug("proto %hhu %pI6:%hu -> %pI6:%hu "
+	pr_debug("proto %hhd %pI6:%hu -> %pI6:%hu "
 		 "(orig %pI6:%hu) sock %p\n",
 		 tproto, saddr, ntohs(sport),
 		 daddr, ntohs(dport),
-- 
1.7.3.2

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: tproxy: added IPv6 support to the socket match
  2010-10-28 20:00   ` David Miller
@ 2010-10-29 14:31     ` Patrick McHardy
  0 siblings, 0 replies; 3+ messages in thread
From: Patrick McHardy @ 2010-10-29 14:31 UTC (permalink / raw)
  To: David Miller; +Cc: geert, bazsi, hidden, akpm, linux-kernel, netfilter-devel

Am 28.10.2010 22:00, schrieb David Miller:
> From: Geert Uytterhoeven <geert@linux-m68k.org>
> Date: Thu, 28 Oct 2010 20:51:43 +0200
> 
>>> +       u8 tproto;
>>
>> tproto is unsigned...
>>
>>> +       const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
>>> +
>>> +       tproto = ipv6_find_hdr(skb, &thoff, -1, NULL);
>>
>> but ipv6_find_hdr() returns int, and negative values for errors...
> 
> Thanks Geert, I'll fix it like so:
> 
> --------------------
> netfilter: xt_socket: Make tproto signed in socket_mt6_v1().
> 
> Otherwise error indications from ipv6_find_hdr() won't be noticed.
> 
> This required making the protocol argument to extract_icmp6_fields()
> signed too.
> 
> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> Signed-off-by: David S. Miller <davem@davemloft.net>

Thanks for taking care of this Dave.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-10-29 14:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <201010231923.o9NJNK9U013494@hera.kernel.org>
2010-10-28 18:51 ` tproxy: added IPv6 support to the socket match Geert Uytterhoeven
2010-10-28 20:00   ` David Miller
2010-10-29 14:31     ` Patrick McHardy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).