[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190619165039.yg3gzhkg2kvze5py@salvia>
Date: Wed, 19 Jun 2019 18:50:39 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Stephen Suryaputra <ssuryaextr@...il.com>
Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH RESEND nf-next] netfilter: add support for matching IPv4
options
On Tue, Jun 18, 2019 at 10:13:55AM -0400, Stephen Suryaputra wrote:
> On Tue, Jun 18, 2019 at 05:31:12PM +0200, Pablo Neira Ayuso wrote:
> > > +{
> > > + unsigned char optbuf[sizeof(struct ip_options) + 41];
> >
> > In other parts of the kernel this is + 40:
> >
> > net/ipv4/cipso_ipv4.c: unsigned char optbuf[sizeof(struct ip_options) + 40];
> >
> > here it is + 41.
> >
> > ...
> >
> > > + /* Copy the options since __ip_options_compile() modifies
> > > + * the options. Get one byte beyond the option for target < 0
> >
> > How does this "one byte beyond the option" trick works?
>
> I used ipv6_find_hdr() as a reference. There if target is set to less
> than 0, then the offset points to the byte beyond the extension header.
> In this function, it points to the byte beyond the option. I wanted to
> be as close as a working code as possible. Also, why +41 instead of +40.
OK. But this is never used in this new extension, priv->type is always
set. I mean, we already have a pointer to the transport header via
nft_pktinfo->xt.thoff.
> > > + if (opt->end) {
> > > + *offset = opt->end + start;
> > > + target = IPOPT_END;
> >
> > May I ask, what's the purpose of IPOPT_END? :-)
>
> My understanding is that in ipv6_find_hdr() if the nexthdr is
> NEXTHDR_NONE, then that's the one being returned. The same here: target
> is the return value.
Code that falls under the default: case that deals with IPOPT_END is
never exercised, right?
priv->type is always set to >= 0, so the opt->end never happens.
Hence, we can remove the chunk in net/ipv4/ip_options.c.
> > Apart from the above, this looks good to me.
>
> AOK for other comments. I can spin another version.
Please, do.
Thanks for explaining. I understand motivation is to mimic
ipv6_find_hdr() which is a good idea indeed... if this functions
becomes used away from the netfilter tree at some point that would be
a good pattern to extend it. However, so far - please correct me if
I'm mistaken - for the requirements of nft_exthdr to support IPv4
options, we don't seem to need it, so I would prefer to start with the
bare minimum code that nft_exthdr needs, if possible.
Thanks!
Powered by blists - more mailing lists