| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 May 2020 13:58:27 +0800
From: wenxu <wenxu@...oud.cn>
To: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Cc: paulb@...lanox.com, netdev@...r.kernel.org, davem@...emloft.net
Subject: Re: [PATCH] net/sched: act_ct: add nat mangle action only for
NAT-conntrack
在 2020/5/30 8:04, wenxu 写道:
> 在 2020/5/30 1:56, Marcelo Ricardo Leitner 写道:
>> On Fri, May 29, 2020 at 12:07:45PM +0800, wenxu@...oud.cn wrote:
>>> From: wenxu <wenxu@...oud.cn>
>>>
>>> Currently add nat mangle action with comparing invert and ori tuple.
>>> It is better to check IPS_NAT_MASK flags first to avoid non necessary
>>> memcmp for non-NAT conntrack.
>>>
>>> Signed-off-by: wenxu <wenxu@...oud.cn>
>>> ---
>>> net/sched/act_ct.c | 19 +++++++++++++------
>>> 1 file changed, 13 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
>>> index c50a86a..d621152 100644
>>> --- a/net/sched/act_ct.c
>>> +++ b/net/sched/act_ct.c
>>> @@ -198,18 +198,21 @@ static int tcf_ct_flow_table_add_action_nat(struct net *net,
>>> struct flow_action *action)
>>> {
>>> const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
>>> + bool nat = ct->status & IPS_NAT_MASK;
>>> struct nf_conntrack_tuple target;
>> [A]
>>
>>>
>>> nf_ct_invert_tuple(&target, &ct->tuplehash[!dir].tuple);
>>>
>>> switch (tuple->src.l3num) {
>>> case NFPROTO_IPV4:
>>> - tcf_ct_flow_table_add_action_nat_ipv4(tuple, target,
>>> - action);
>>> + if (nat)
>> Why do the same check multiple times, on all actions? As no other
>> action is performed if not doing a nat, seems at [A] above, it could
>> just:
>>
>> if (!nat)
>> return 0;
> This function is not always return 0. It is the same for non-nat conntrack.
>
> If the ether proto is not ipv4 or ipv6 and the ip_proto is not tcp and udp,
>
> this function should return -EOPNOTSUPP. Check the nat for each type
>
> is just to following the rule.
Marcelo,
Maybe your are right. This function can any care about the nat conntrack entry and
can totally ignore all the non-nat ones
>
>>> + tcf_ct_flow_table_add_action_nat_ipv4(tuple, target,
>>> + action);
>>> break;
>>> case NFPROTO_IPV6:
>>> - tcf_ct_flow_table_add_action_nat_ipv6(tuple, target,
>>> - action);
>>> + if (nat)
>>> + tcf_ct_flow_table_add_action_nat_ipv6(tuple, target,
>>> + action);
>>> break;
>>> default:
>>> return -EOPNOTSUPP;
>>> @@ -217,10 +220,14 @@ static int tcf_ct_flow_table_add_action_nat(struct net *net,
>>>
>>> switch (nf_ct_protonum(ct)) {
>>> case IPPROTO_TCP:
>>> - tcf_ct_flow_table_add_action_nat_tcp(tuple, target, action);
>>> + if (nat)
>>> + tcf_ct_flow_table_add_action_nat_tcp(tuple, target,
>>> + action);
>>> break;
>>> case IPPROTO_UDP:
>>> - tcf_ct_flow_table_add_action_nat_udp(tuple, target, action);
>>> + if (nat)
>>> + tcf_ct_flow_table_add_action_nat_udp(tuple, target,
>>> + action);
>>> break;
>>> default:
>>> return -EOPNOTSUPP;
>>> --
>>> 1.8.3.1
>>>
Powered by blists - more mailing lists