From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Phil Sutter <phil@nwl.cc>,
Richard Guy Briggs <rgb@redhat.com>,
Florian Westphal <fw@strlen.de>, Sasha Levin <sashal@kernel.org>,
Paul Moore <paul@paul-moore.com>
Subject: [PATCH 6.1 31/62] netfilter: nf_tables: audit log object reset once per table
Date: Mon, 6 Nov 2023 14:03:37 +0100 [thread overview]
Message-ID: <20231106130302.951136024@linuxfoundation.org> (raw)
In-Reply-To: <20231106130301.807965064@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit 1baf0152f7707c6c7e4ea815dcc1f431c0e603f9 ]
When resetting multiple objects at once (via dump request), emit a log
message per table (or filled skb) and resurrect the 'entries' parameter
to contain the number of objects being logged for.
To test the skb exhaustion path, perform some bulk counter and quota
adds in the kselftest.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Paul Moore <paul@paul-moore.com> (Audit)
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 50 +++++++++++--------
.../testing/selftests/netfilter/nft_audit.sh | 46 +++++++++++++++++
2 files changed, 74 insertions(+), 22 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 5e3dbe2652dbd..5c783199b4999 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7324,6 +7324,16 @@ static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
return -1;
}
+static void audit_log_obj_reset(const struct nft_table *table,
+ unsigned int base_seq, unsigned int nentries)
+{
+ char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
+
+ audit_log_nfcfg(buf, table->family, nentries,
+ AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
+ kfree(buf);
+}
+
struct nft_obj_filter {
char *table;
u32 type;
@@ -7338,8 +7348,10 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
struct nftables_pernet *nft_net;
+ unsigned int entries = 0;
struct nft_object *obj;
bool reset = false;
+ int rc = 0;
if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
reset = true;
@@ -7352,6 +7364,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
if (family != NFPROTO_UNSPEC && family != table->family)
continue;
+ entries = 0;
list_for_each_entry_rcu(obj, &table->objects, list) {
if (!nft_is_active(net, obj))
goto cont;
@@ -7367,34 +7380,27 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
filter->type != NFT_OBJECT_UNSPEC &&
obj->ops->type->type != filter->type)
goto cont;
- if (reset) {
- char *buf = kasprintf(GFP_ATOMIC,
- "%s:%u",
- table->name,
- nft_net->base_seq);
-
- audit_log_nfcfg(buf,
- family,
- obj->handle,
- AUDIT_NFT_OP_OBJ_RESET,
- GFP_ATOMIC);
- kfree(buf);
- }
- if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
- cb->nlh->nlmsg_seq,
- NFT_MSG_NEWOBJ,
- NLM_F_MULTI | NLM_F_APPEND,
- table->family, table,
- obj, reset) < 0)
- goto done;
+ rc = nf_tables_fill_obj_info(skb, net,
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq,
+ NFT_MSG_NEWOBJ,
+ NLM_F_MULTI | NLM_F_APPEND,
+ table->family, table,
+ obj, reset);
+ if (rc < 0)
+ break;
+ entries++;
nl_dump_check_consistent(cb, nlmsg_hdr(skb));
cont:
idx++;
}
+ if (reset && entries)
+ audit_log_obj_reset(table, nft_net->base_seq, entries);
+ if (rc < 0)
+ break;
}
-done:
rcu_read_unlock();
cb->args[0] = idx;
@@ -7499,7 +7505,7 @@ static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
audit_log_nfcfg(buf,
family,
- obj->handle,
+ 1,
AUDIT_NFT_OP_OBJ_RESET,
GFP_ATOMIC);
kfree(buf);
diff --git a/tools/testing/selftests/netfilter/nft_audit.sh b/tools/testing/selftests/netfilter/nft_audit.sh
index 5267c88496d51..99ed5bd6e8402 100755
--- a/tools/testing/selftests/netfilter/nft_audit.sh
+++ b/tools/testing/selftests/netfilter/nft_audit.sh
@@ -99,6 +99,12 @@ do_test 'nft add counter t1 c1' \
do_test 'nft add counter t2 c1; add counter t2 c2' \
'table=t2 family=2 entries=2 op=nft_register_obj'
+for ((i = 3; i <= 500; i++)); do
+ echo "add counter t2 c$i"
+done >$rulefile
+do_test "nft -f $rulefile" \
+'table=t2 family=2 entries=498 op=nft_register_obj'
+
# adding/updating quotas
do_test 'nft add quota t1 q1 { 10 bytes }' \
@@ -107,6 +113,12 @@ do_test 'nft add quota t1 q1 { 10 bytes }' \
do_test 'nft add quota t2 q1 { 10 bytes }; add quota t2 q2 { 10 bytes }' \
'table=t2 family=2 entries=2 op=nft_register_obj'
+for ((i = 3; i <= 500; i++)); do
+ echo "add quota t2 q$i { 10 bytes }"
+done >$rulefile
+do_test "nft -f $rulefile" \
+'table=t2 family=2 entries=498 op=nft_register_obj'
+
# changing the quota value triggers obj update path
do_test 'nft add quota t1 q1 { 20 bytes }' \
'table=t1 family=2 entries=1 op=nft_register_obj'
@@ -156,6 +168,40 @@ done
do_test 'nft reset set t1 s' \
'table=t1 family=2 entries=3 op=nft_reset_setelem'
+# resetting counters
+
+do_test 'nft reset counter t1 c1' \
+'table=t1 family=2 entries=1 op=nft_reset_obj'
+
+do_test 'nft reset counters t1' \
+'table=t1 family=2 entries=1 op=nft_reset_obj'
+
+do_test 'nft reset counters t2' \
+'table=t2 family=2 entries=342 op=nft_reset_obj
+table=t2 family=2 entries=158 op=nft_reset_obj'
+
+do_test 'nft reset counters' \
+'table=t1 family=2 entries=1 op=nft_reset_obj
+table=t2 family=2 entries=341 op=nft_reset_obj
+table=t2 family=2 entries=159 op=nft_reset_obj'
+
+# resetting quotas
+
+do_test 'nft reset quota t1 q1' \
+'table=t1 family=2 entries=1 op=nft_reset_obj'
+
+do_test 'nft reset quotas t1' \
+'table=t1 family=2 entries=1 op=nft_reset_obj'
+
+do_test 'nft reset quotas t2' \
+'table=t2 family=2 entries=315 op=nft_reset_obj
+table=t2 family=2 entries=185 op=nft_reset_obj'
+
+do_test 'nft reset quotas' \
+'table=t1 family=2 entries=1 op=nft_reset_obj
+table=t2 family=2 entries=314 op=nft_reset_obj
+table=t2 family=2 entries=186 op=nft_reset_obj'
+
# deleting rules
readarray -t handles < <(nft -a list chain t1 c1 | \
--
2.42.0
next prev parent reply other threads:[~2023-11-06 13:13 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-06 13:03 [PATCH 6.1 00/62] 6.1.62-rc1 review Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 01/62] ASoC: simple-card: fixup asoc_simple_probe() error handling Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 02/62] coresight: tmc-etr: Disable warnings for allocation failures Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 03/62] ASoC: tlv320adc3xxx: BUG: Correct micbias setting Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 04/62] net: sched: cls_u32: Fix allocation size in u32_init() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 05/62] irqchip/riscv-intc: Mark all INTC nodes as initialized Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 06/62] irqchip/stm32-exti: add missing DT IRQ flag translation Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 07/62] dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 08/62] powerpc/85xx: Fix math emulation exception Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 09/62] Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 10/62] fbdev: atyfb: only use ioremap_uc() on i386 and ia64 Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 11/62] fs/ntfs3: Add ckeck in ni_update_parent() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 12/62] fs/ntfs3: Write immediately updated ntfs state Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 13/62] fs/ntfs3: Use kvmalloc instead of kmalloc(... __GFP_NOWARN) Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 14/62] fs/ntfs3: Fix possible NULL-ptr-deref in ni_readpage_cmpr() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 15/62] fs/ntfs3: Fix NULL pointer dereference on error in attr_allocate_frame() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 16/62] fs/ntfs3: Fix directory element type detection Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 17/62] fs/ntfs3: Avoid possible memory leak Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 18/62] spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0 Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 19/62] netfilter: nfnetlink_log: silence bogus compiler warning Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 20/62] efi: fix memory leak in krealloc failure handling Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 21/62] ASoC: rt5650: fix the wrong result of key button Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 22/62] ASoC: codecs: tas2780: Fix log of failed reset via I2C Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 23/62] drm/ttm: Reorder sys manager cleanup step Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 24/62] fbdev: omapfb: fix some error codes Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 25/62] fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 26/62] scsi: mpt3sas: Fix in error path Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 27/62] drm/amdgpu: Unset context priority is now invalid Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 28/62] gpu/drm: Eliminate DRM_SCHED_PRIORITY_UNSET Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 29/62] LoongArch: Export symbol invalid_pud_table for modules building Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 30/62] LoongArch: Replace kmap_atomic() with kmap_local_page() in copy_user_highpage() Greg Kroah-Hartman
2023-11-06 13:03 ` Greg Kroah-Hartman [this message]
2023-11-06 13:03 ` [PATCH 6.1 32/62] platform/mellanox: mlxbf-tmfifo: Fix a warning message Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 33/62] drm/amdgpu: Reserve fences for VM update Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 34/62] net: chelsio: cxgb4: add an error code check in t4_load_phy_fw Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 35/62] r8152: Check for unplug in rtl_phy_patch_request() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 36/62] r8152: Check for unplug in r8153b_ups_en() / r8153c_ups_en() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 37/62] powerpc/mm: Fix boot crash with FLATMEM Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 38/62] io_uring: kiocb_done() should *not* trust ->ki_pos if ->{read,write}_iter() failed Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 39/62] ceph_wait_on_conflict_unlink(): grab reference before dropping ->d_lock Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 40/62] power: supply: core: Use blocking_notifier_call_chain to avoid RCU complaint Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 41/62] perf evlist: Avoid frequency mode for the dummy event Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 42/62] x86: KVM: SVM: always update the x2avic msr interception Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 43/62] mm/mempolicy: fix set_mempolicy_home_node() previous VMA pointer Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 44/62] mmap: fix error paths with dup_anon_vma() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 45/62] ALSA: usb-audio: add quirk flag to enable native DSD for McIntosh devices Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 46/62] PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 47/62] usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 48/62] usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 49/62] usb: raw-gadget: properly handle interrupted requests Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 50/62] tty: n_gsm: fix race condition in status line change on dead connections Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 51/62] tty: 8250: Remove UC-257 and UC-431 Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 52/62] tty: 8250: Add support for additional Brainboxes UC cards Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 6.1 53/62] tty: 8250: Add support for Brainboxes UP cards Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 6.1 54/62] tty: 8250: Add support for Intashield IS-100 Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 6.1 55/62] tty: 8250: Fix port count of PX-257 Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 6.1 56/62] tty: 8250: Fix up PX-803/PX-857 Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 6.1 57/62] tty: 8250: Add support for additional Brainboxes PX cards Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 6.1 58/62] tty: 8250: Add support for Intashield IX cards Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 6.1 59/62] tty: 8250: Add Brainboxes Oxford Semiconductor-based quirks Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 6.1 60/62] misc: pci_endpoint_test: Add deviceID for J721S2 PCIe EP device support Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 6.1 61/62] ALSA: hda: intel-dsp-config: Fix JSL Chromebook quirk detection Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 6.1 62/62] ASoC: SOF: sof-pci-dev: Fix community key " Greg Kroah-Hartman
2023-11-06 17:24 ` [PATCH 6.1 00/62] 6.1.62-rc1 review SeongJae Park
2023-11-06 17:52 ` Florian Fainelli
2023-11-06 19:14 ` Allen Pais
2023-11-06 21:35 ` Pavel Machek
2023-11-07 4:12 ` Bagas Sanjaya
2023-11-07 8:55 ` Ron Economos
2023-11-07 11:48 ` Jon Hunter
2023-11-07 15:35 ` Shuah Khan
2023-11-07 16:04 ` Conor Dooley
2023-11-07 17:15 ` Ricardo B. Marliere
2023-11-07 17:44 ` Naresh Kamboju
2023-11-07 18:54 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231106130302.951136024@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fw@strlen.de \
--cc=patches@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=phil@nwl.cc \
--cc=rgb@redhat.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).