lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Z4o6-xme3AbmzrYW@calendula>
Date: Fri, 17 Jan 2025 12:12:49 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Simon Horman <horms@...nel.org>
Cc: netfilter-devel@...r.kernel.org, davem@...emloft.net,
	netdev@...r.kernel.org, kuba@...nel.org, pabeni@...hat.com,
	edumazet@...gle.com, fw@...len.de
Subject: Re: [PATCH net-next 01/14] netfilter: nf_tables: fix set size with
 rbtree backend

Hi Simon,

On Fri, Jan 17, 2025 at 10:49:57AM +0000, Simon Horman wrote:
> On Thu, Jan 16, 2025 at 06:18:49PM +0100, Pablo Neira Ayuso wrote:
> > The existing rbtree implementation uses singleton elements to represent
> > ranges, however, userspace provides a set size according to the number
> > of ranges in the set.
> > 
> > Adjust provided userspace set size to the number of singleton elements
> > in the kernel by multiplying the range by two.
> > 
> > Check if the no-match all-zero element is already in the set, in such
> > case release one slot in the set size.
> > 
> > Fixes: 0ed6389c483d ("netfilter: nf_tables: rename set implementations")
> > Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
> > ---
> >  include/net/netfilter/nf_tables.h |  3 ++
> >  net/netfilter/nf_tables_api.c     | 49 +++++++++++++++++++++++++++++--
> >  net/netfilter/nft_set_rbtree.c    | 43 +++++++++++++++++++++++++++
> >  3 files changed, 93 insertions(+), 2 deletions(-)
> > 
> > diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
> > index 0027beca5cd5..7dcea247f853 100644
> > --- a/include/net/netfilter/nf_tables.h
> > +++ b/include/net/netfilter/nf_tables.h
> > @@ -495,6 +495,9 @@ struct nft_set_ops {
> >  					       const struct nft_set *set,
> >  					       const struct nft_set_elem *elem,
> >  					       unsigned int flags);
> > +	u32				(*ksize)(u32 size);
> > +	u32				(*usize)(u32 size);
> > +	u32				(*adjust_maxsize)(const struct nft_set *set);
> >  	void				(*commit)(struct nft_set *set);
> >  	void				(*abort)(const struct nft_set *set);
> >  	u64				(*privsize)(const struct nlattr * const nla[],
> 
> Hi Pablo,
> 
> As a follow-up could these new fields be added to
> the Kernel doc for nft_set_ops?

Sure, I can do that.

I can also send a v2 for this pull request if more comments accumulate.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ