lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 30 Oct 2019 11:09:55 +0800
From:   wenxu <wenxu@...oud.cn>
To:     Pablo Neira Ayuso <pablo@...filter.org>,
        netfilter-devel@...r.kernel.org
Cc:     jiri@...nulli.us, netdev@...r.kernel.org
Subject: Re: [PATCH nf-next] netfilter: nf_tables_offload: allow ethernet
 interface type only


On 10/29/2019 6:40 PM, Pablo Neira Ayuso wrote:
> @@ -113,6 +114,7 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx,
>  			     const struct nft_cmp_expr *priv)
>  {
>  	struct nft_offload_reg *reg = &ctx->regs[priv->sreg];
> +	static u16 iftype_ether = ARPHRD_ETHER;
>  	u8 *mask = (u8 *)&flow->match.mask;
>  	u8 *key = (u8 *)&flow->match.key;
>  
> @@ -125,6 +127,11 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx,
>  	flow->match.dissector.used_keys |= BIT(reg->key);
>  	flow->match.dissector.offset[reg->key] = reg->base_offset;
>  
> +	if (reg->key == FLOW_DISSECTOR_KEY_META &&
> +	    reg->offset == offsetof(struct nft_flow_key, meta.ingress_iftype) &&
> +	    memcmp(&priv->data, &iftype_ether, priv->len))
Maybe it is better to check the priv->len == sizeof(u16)?
> +		return -EOPNOTSUPP;
> +
>  	nft_offload_update_dependency(ctx, &priv->data, priv->len);
>  
>  	return 0;
> diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
> index 8fd21f436347..6fb6a6778e68 100644
> --- a/net/netfilter/nft_meta.c
> +++ b/net/netfilter/nft_meta.c
> @@ -551,6 +551,10 @@ static int nft_meta_get_offload(struct nft_offload_ctx *ctx,
>  		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
>  				  ingress_ifindex, sizeof(__u32), reg);
>  		break;
> +	case NFT_META_IIFTYPE:
> +		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
> +				  ingress_iftype, sizeof(__u16), reg);
> +		break;
>  	default:
>  		return -EOPNOTSUPP;
>  	}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ