lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <a03f1fd0-1ca2-5e08-8ecc-2692c468aeb1@ucloud.cn>
Date:   Sat, 30 May 2020 13:58:27 +0800
From:   wenxu <wenxu@...oud.cn>
To:     Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Cc:     paulb@...lanox.com, netdev@...r.kernel.org, davem@...emloft.net
Subject: Re: [PATCH] net/sched: act_ct: add nat mangle action only for
 NAT-conntrack


在 2020/5/30 8:04, wenxu 写道:
> 在 2020/5/30 1:56, Marcelo Ricardo Leitner 写道:
>> On Fri, May 29, 2020 at 12:07:45PM +0800, wenxu@...oud.cn wrote:
>>> From: wenxu <wenxu@...oud.cn>
>>>
>>> Currently add nat mangle action with comparing invert and ori tuple.
>>> It is better to check IPS_NAT_MASK flags first to avoid non necessary
>>> memcmp for non-NAT conntrack.
>>>
>>> Signed-off-by: wenxu <wenxu@...oud.cn>
>>> ---
>>>  net/sched/act_ct.c | 19 +++++++++++++------
>>>  1 file changed, 13 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
>>> index c50a86a..d621152 100644
>>> --- a/net/sched/act_ct.c
>>> +++ b/net/sched/act_ct.c
>>> @@ -198,18 +198,21 @@ static int tcf_ct_flow_table_add_action_nat(struct net *net,
>>>  					    struct flow_action *action)
>>>  {
>>>  	const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
>>> +	bool nat = ct->status & IPS_NAT_MASK;
>>>  	struct nf_conntrack_tuple target;
>> [A]
>>
>>>  
>>>  	nf_ct_invert_tuple(&target, &ct->tuplehash[!dir].tuple);
>>>  
>>>  	switch (tuple->src.l3num) {
>>>  	case NFPROTO_IPV4:
>>> -		tcf_ct_flow_table_add_action_nat_ipv4(tuple, target,
>>> -						      action);
>>> +		if (nat)
>> Why do the same check multiple times, on all actions? As no other
>> action is performed if not doing a nat, seems at [A] above, it could
>> just:
>>
>> if (!nat)
>> 	return 0;
> This function is not always return 0.  It is the same for non-nat conntrack.
>
> If the ether proto is not ipv4 or ipv6 and the ip_proto is not tcp and udp,
>
> this function should return -EOPNOTSUPP. Check the nat for each type
>
> is just to following the rule.

Marcelo,

Maybe your are right. This function can any care about the nat conntrack entry and

can totally ignore all the non-nat ones

>
>>> +			tcf_ct_flow_table_add_action_nat_ipv4(tuple, target,
>>> +							      action);
>>>  		break;
>>>  	case NFPROTO_IPV6:
>>> -		tcf_ct_flow_table_add_action_nat_ipv6(tuple, target,
>>> -						      action);
>>> +		if (nat)
>>> +			tcf_ct_flow_table_add_action_nat_ipv6(tuple, target,
>>> +							      action);
>>>  		break;
>>>  	default:
>>>  		return -EOPNOTSUPP;
>>> @@ -217,10 +220,14 @@ static int tcf_ct_flow_table_add_action_nat(struct net *net,
>>>  
>>>  	switch (nf_ct_protonum(ct)) {
>>>  	case IPPROTO_TCP:
>>> -		tcf_ct_flow_table_add_action_nat_tcp(tuple, target, action);
>>> +		if (nat)
>>> +			tcf_ct_flow_table_add_action_nat_tcp(tuple, target,
>>> +							     action);
>>>  		break;
>>>  	case IPPROTO_UDP:
>>> -		tcf_ct_flow_table_add_action_nat_udp(tuple, target, action);
>>> +		if (nat)
>>> +			tcf_ct_flow_table_add_action_nat_udp(tuple, target,
>>> +							     action);
>>>  		break;
>>>  	default:
>>>  		return -EOPNOTSUPP;
>>> -- 
>>> 1.8.3.1
>>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ