| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 21 Nov 2020 16:44:42 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: netfilter-devel@...r.kernel.org, davem@...emloft.net,
netdev@...r.kernel.org
Subject: Re: [PATCH net 1/4] netfilter: nftables_offload: set address type
in control dissector
On Sat, 21 Nov 2020 13:35:58 +0100 Pablo Neira Ayuso wrote:
> If the address type is missing through the control dissector, then
> matching on IPv4 and IPv6 addresses does not work.
Doesn't work where? Are you talking about a specific driver?
> Set it accordingly so
> rules that specify an IP address succesfully match on packets.
>
> Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support")
> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
> ---
> include/net/netfilter/nf_tables_offload.h | 4 ++++
> net/netfilter/nf_tables_offload.c | 18 ++++++++++++++++++
> net/netfilter/nft_payload.c | 4 ++++
> 3 files changed, 26 insertions(+)
>
> diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
> index ea7d1d78b92d..bddd34c5bd79 100644
> --- a/include/net/netfilter/nf_tables_offload.h
> +++ b/include/net/netfilter/nf_tables_offload.h
> @@ -37,6 +37,7 @@ void nft_offload_update_dependency(struct nft_offload_ctx *ctx,
>
> struct nft_flow_key {
> struct flow_dissector_key_basic basic;
> + struct flow_dissector_key_control control;
> union {
> struct flow_dissector_key_ipv4_addrs ipv4;
> struct flow_dissector_key_ipv6_addrs ipv6;
> @@ -62,6 +63,9 @@ struct nft_flow_rule {
>
> #define NFT_OFFLOAD_F_ACTION (1 << 0)
>
> +void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,
> + enum flow_dissector_key_id addr_type);
> +
> struct nft_rule;
> struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule);
> void nft_flow_rule_destroy(struct nft_flow_rule *flow);
> diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
> index 9f625724a20f..9a3c5ac057b6 100644
> --- a/net/netfilter/nf_tables_offload.c
> +++ b/net/netfilter/nf_tables_offload.c
> @@ -28,6 +28,24 @@ static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)
> return flow;
> }
>
> +void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,
> + enum flow_dissector_key_id addr_type)
> +{
> + struct nft_flow_match *match = &flow->match;
> + struct nft_flow_key *mask = &match->mask;
> + struct nft_flow_key *key = &match->key;
> +
> + if (match->dissector.used_keys & BIT(FLOW_DISSECTOR_KEY_CONTROL))
> + return;
> +
> + key->control.addr_type = addr_type;
> + mask->control.addr_type = 0xffff;
> + match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CONTROL);
> + match->dissector.offset[FLOW_DISSECTOR_KEY_CONTROL] =
> + offsetof(struct nft_flow_key, control);
Why is this injecting the match conditionally?
> +}
> +EXPORT_SYMBOL_GPL(nft_flow_rule_set_addr_type);
And why is this exported?
nf_tables-objs := nf_tables_core.o nf_tables_api.o nft_chain_filter.o \
nf_tables_trace.o nft_immediate.o nft_cmp.o nft_range.o \
nft_bitwise.o nft_byteorder.o nft_payload.o nft_lookup.o \
^^^^^^^^^^^^^
nft_dynset.o nft_meta.o nft_rt.o nft_exthdr.o \
nft_chain_route.o nf_tables_offload.o \
^^^^^^^^^^^^^^^^^^^
nft_set_hash.o nft_set_bitmap.o nft_set_rbtree.o \
nft_set_pipapo.o
These are linked together.
Powered by blists - more mailing lists