From patchwork Wed Jul 31 22:26:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1967334 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=qqHZ9E0T; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3130-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZ6Ct18SHz1ydq for ; Thu, 1 Aug 2024 08:27:22 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id B746F283D80 for ; Wed, 31 Jul 2024 22:27:20 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5AD4F16D9BE; Wed, 31 Jul 2024 22:27:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="qqHZ9E0T" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB5EE16D33D for ; Wed, 31 Jul 2024 22:27:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464832; cv=none; b=P/54fDVMp/WrGnHl3uVtouVcBnSw9x+Uws2rDeopzHVL1wfdYt9aMGSSqLsbRxW/UQDbO4ZMc6ReA2d8AFuZZkx/QOXP8MSc4PXZysMVvGq+DONUMwufYs+lHeB+oWgO1u2jG0VmLbsJpaTKACCtSAU3zWRx1ejFyZhJojcRlL8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464832; c=relaxed/simple; bh=LwCrtzR4aTJnl8GdN8giubDEnjxIUeCTAYL/OoPJD/o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nvdfSMPtXrQdJueFdKwqO4UtXLNw68XKtck96+zDPN54+8Frzw/vfZrg6gpLGlTJ7cynJGYRFPUXYk3UJbbahtjqPZjI+TWcAvoxzneQiu6SYJbdbYuQXI61H0SOvI+ff9DxIgh1CAXB3ivwlf3O3YLKADxCxrflmrSRjsyLVWc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=qqHZ9E0T; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=aJz19JxKWRis7mgTkcmCtU9RI1nXoc7Geak4FB0/+Gk=; b=qqHZ9E0TmZu7a+Ne1Wx8kTUi/7 SBqn1NQgK2ua4mRHfIhb/jJxsOrynFZT/ZW8vE20qxHqANRs1BSOy3hNr68issJC/T7ePccx9AEs6 1bCvuzDQ8fAsPUHO+igS+qS8LXUEGZ7KBfLXEUyMfli14oIEfcmJsxaMJjeaaUuUU9d7CUUpm4LCS nU4r+W4hF1ND+MCl/KnuW9e96IKPUNwcbkxIKT/F+NuJb6aVDtAnC7tjuz5rhCPj2hHZrQp31S8HB 4qhKuvGZ005NCKcV6o7pQrDI3JJSAHnP1mLLWSVum2xIlkmoQW5XjwQJhaWdRHxi5OYQrM3/eh9a8 sOT7yG/g==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sZHmn-000000003iV-0Ca5; Thu, 01 Aug 2024 00:27:09 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso , Jan Engelhardt Subject: [iptables PATCH 1/8] ebtables: Zero freed pointers in ebt_cs_clean() Date: Thu, 1 Aug 2024 00:26:56 +0200 Message-ID: <20240731222703.22741-2-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240731222703.22741-1-phil@nwl.cc> References: <20240731222703.22741-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Trying to recycle an iptables_command_state object by calling first clear_cs then init_cs callbacks causes invalid data accesses with ebtables otherwise. Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support") Signed-off-by: Phil Sutter --- iptables/nft-bridge.c | 1 + 1 file changed, 1 insertion(+) diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 0f85e21861cde..f75a13fbf1120 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -46,6 +46,7 @@ void ebt_cs_clean(struct iptables_command_state *cs) free(m); m = nm; } + cs->match_list = NULL; if (cs->target) { free(cs->target->t); From patchwork Wed Jul 31 22:26:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1967333 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=h96KGH+S; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3128-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZ6Cp4RHLz1yZv for ; Thu, 1 Aug 2024 08:27:18 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 9D16628400F for ; Wed, 31 Jul 2024 22:27:16 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 453E516D9A1; Wed, 31 Jul 2024 22:27:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="h96KGH+S" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 243C116CD3F for ; Wed, 31 Jul 2024 22:27:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464831; cv=none; b=LtJ96Y7RvFWLfsbgTZBZeLa087YUDnJX0OO++SY4GjO2bJxdHOZzNnyewKPDFbPXbnaLNParkKs4dR22jKoiRkrAFvQejddlS78KNX5jF1l3IJOXXOUfmtojx+HQSFUnT+YL/6IW4OgPefhyF+8ysINIoYp/Q0PBqeYSrD5Q+W8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464831; c=relaxed/simple; bh=l6OhOSEaTjyDXmNgWp05txx+OyxH3PaDy2klgnD/XDU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qz0RjPbyVcG3q4v6cuiwEAdZEeufXWdPLQ1EWTLCQyu0jm28qkaIcdqL3MOIizEOR7Z8xHrTGYYEQ9wwfp6U+l44IeH9UxpuYo6R9K/g84AVqkLr40hhcwfJCxWXNq/q71k1SltcJkHgQj53ZWbkKXWZlnwx6/APIHqg2G0mB3o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=h96KGH+S; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JcI/TTnptgxgnFBnY7D4WL+2md0ceGnhdoxyJkCWYAs=; b=h96KGH+Skm/puCERr6YVPVGece Xlu8tiw1FCKaWc1sV5/co198sGnrzLYSxc6qg3z4MFrnZysMpX9d3QHSVw7EN2al1NQF3KjE3nGZ2 7E0AQSX4BpQ/SfdsXgOudP7ZnDwVUIytt2DvnWKSe3rH5D36fJsjG53lZ4LUM/nrnBqp169MNUZbI JJev46yHTZlbbmknDDnRvfz38zpyeJMXeFCwgLAfXWrw3tCu230obPBYt9J0xtWsUbVdrew6TOAOE LyjYZaUs6fsPFM5WHMX7sOLcjrlUjPqToHLANYz0rXnt67X9GfNH736SVQfkGCGGvM6zW2bvHveO9 QsoXdtbw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sZHml-000000003i6-1RUU; Thu, 01 Aug 2024 00:27:07 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso , Jan Engelhardt Subject: [iptables PATCH 2/8] ebtables: Introduce nft_bridge_init_cs() Date: Thu, 1 Aug 2024 00:26:57 +0200 Message-ID: <20240731222703.22741-3-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240731222703.22741-1-phil@nwl.cc> References: <20240731222703.22741-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The custom init done by nft_rule_to_ebtables_command_state() (which is also the reason for its existence in the first place) should better go into an ebtables-specific init_cs callback. Properly calling it from do_commandeb() then removes the need for that custom rule_to_cs callback. Signed-off-by: Phil Sutter --- iptables/nft-bridge.c | 11 +++++------ iptables/xtables-eb.c | 4 +++- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index f75a13fbf1120..1623acbac0ba6 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -203,12 +203,9 @@ static int nft_bridge_add(struct nft_handle *h, struct nft_rule_ctx *ctx, return _add_action(r, cs); } -static bool nft_rule_to_ebtables_command_state(struct nft_handle *h, - const struct nftnl_rule *r, - struct iptables_command_state *cs) +static void nft_bridge_init_cs(struct iptables_command_state *cs) { cs->eb.bitmask = EBT_NOPROTO; - return nft_rule_to_iptables_command_state(h, r, cs); } static void print_iface(const char *option, const char *name, bool invert) @@ -353,7 +350,8 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r, if (format & FMT_LINENUMBERS) printf("%d. ", num); - nft_rule_to_ebtables_command_state(h, r, &cs); + nft_bridge_init_cs(&cs); + nft_rule_to_iptables_command_state(h, r, &cs); __nft_bridge_save_rule(&cs, format); ebt_cs_clean(&cs); } @@ -699,7 +697,8 @@ struct nft_family_ops nft_family_ops_bridge = { .print_rule = nft_bridge_print_rule, .save_rule = nft_bridge_save_rule, .save_chain = nft_bridge_save_chain, - .rule_to_cs = nft_rule_to_ebtables_command_state, + .rule_to_cs = nft_rule_to_iptables_command_state, + .init_cs = nft_bridge_init_cs, .clear_cs = ebt_cs_clean, .xlate = nft_bridge_xlate, }; diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 51c699defb047..45663a3ad0ee0 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -557,7 +557,6 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, .argc = argc, .argv = argv, .jumpto = "", - .eb.bitmask = EBT_NOPROTO, }; const struct builtin_table *t; struct xtables_args args = { @@ -572,6 +571,9 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, }; int ret = 0; + if (h->ops->init_cs) + h->ops->init_cs(&cs); + do_parse(argc, argv, &p, &cs, &args); h->verbose = p.verbose; From patchwork Wed Jul 31 22:26:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1967337 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=dwomQpCO; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3132-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZ6Cx4BVbz1yZv for ; Thu, 1 Aug 2024 08:27:25 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 4F26DB23240 for ; Wed, 31 Jul 2024 22:27:25 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B4D9716D9CC; Wed, 31 Jul 2024 22:27:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="dwomQpCO" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C85A016D4FA for ; Wed, 31 Jul 2024 22:27:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464833; cv=none; b=VWHL1O2S0ov23r71IhkQ9/BNHp3TCqYql4HPOIfI5Ir4xxNsPR2sQQTBmTA3Yt4oPJsDk3B+RLQdhpUVU/iRRZU3SGqQG5bdNAeRG5CBr9SDbxX0aH0olc5r89tUQaYWPN/KlghwNJIooFGT8LIv7NfTSTW6mjPxg/o9NnYiVv8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464833; c=relaxed/simple; bh=StSPAeUfHGeG6sPQZfkb4JUu3E9j20cAAYUaMkkVTA4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kAPgYQTTZGK9k/lDH6sgvuMKTm7wmJLYUiKsN/peYAMEiYwuruSVGyfZioVVU3XSdLjqDlfly6uTQN0Sb5nM4uHgY1E1YXYecR7jNB5EG55PaHdRPOHEchr11ZmlQ+05PkXlSsruQX+lVh7Vhq9dMQ82mgIijHxk0TYnl0HQvDQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=dwomQpCO; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zgD8wmxmgfQ5aloCHoLLw/QKf53e0igplQQgPUkaHPU=; b=dwomQpCO7fnJLdok1ClpEzfuTe m0Qn9UnbdBpT8lMLE4gaSdBEyvV91tITxhhFa3/0kuV//nkypcg/h3XYJwuJEyZ8MNDfPjM7h9/DC eb1Ff6qhlAXVEzEklhNYk1+Sgn5B2O91cpt7p8DAxvJp8OZqBTt3b/Cl8liVZ/8c9cJBLMDipSrDY RvfukSUCpXqfPO/VVNN6d1ADO2OVO9cc1T6mNZKrxqlmircqjIyXg3BzE62FYuhkG+K+7TGlPI7kj IAeEi0vqz5IIuUOKfX9dajGrfGwaxHxRh4etn+yl/aQEWGLEVrg+hhCq8RFEd+iUMKQeov5UEIvkK MFHiCdjw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sZHmo-000000003ij-0hyL; Thu, 01 Aug 2024 00:27:10 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso , Jan Engelhardt Subject: [iptables PATCH 3/8] nft: Reduce overhead in nft_rule_find() Date: Thu, 1 Aug 2024 00:26:58 +0200 Message-ID: <20240731222703.22741-4-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240731222703.22741-1-phil@nwl.cc> References: <20240731222703.22741-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When iterating through the list of rules in a chain comparing against a sample, there is no point in carrying that sample as nftnl_rule object and converting into iptables_command_state object prior to each comparison. Just do it up front and adjust the callback accordingly. Signed-off-by: Phil Sutter --- iptables/nft.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index 8b1803181b207..88be5ede5171d 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -2392,25 +2392,22 @@ static int __nft_rule_del(struct nft_handle *h, struct nftnl_rule *r) } static bool nft_rule_cmp(struct nft_handle *h, struct nftnl_rule *r, - struct nftnl_rule *rule) + struct iptables_command_state *cs) { - struct iptables_command_state _cs = {}, this = {}, *cs = &_cs; - bool ret = false, ret_this, ret_that; + struct iptables_command_state this = {}; + bool ret = false, ret_this; - if (h->ops->init_cs) { + if (h->ops->init_cs) h->ops->init_cs(&this); - h->ops->init_cs(cs); - } ret_this = h->ops->rule_to_cs(h, r, &this); - ret_that = h->ops->rule_to_cs(h, rule, cs); - DEBUGP("comparing with... "); + DEBUGP("with ... "); #ifdef DEBUG_DEL nft_rule_print_save(h, r, NFT_RULE_APPEND, 0); #endif - if (!ret_this || !ret_that) - DEBUGP("Cannot convert rules: %d %d\n", ret_this, ret_that); + if (!ret_this) + DEBUGP("Cannot convert rule: %d\n", ret_this); if (!h->ops->is_same(cs, &this)) goto out; @@ -2434,7 +2431,6 @@ static bool nft_rule_cmp(struct nft_handle *h, struct nftnl_rule *r, ret = true; out: h->ops->clear_cs(&this); - h->ops->clear_cs(cs); return ret; } @@ -2442,6 +2438,7 @@ static struct nftnl_rule * nft_rule_find(struct nft_handle *h, struct nft_chain *nc, struct nftnl_rule *rule, int rulenum) { + struct iptables_command_state cs = {}; struct nftnl_chain *c = nc->nftnl; struct nftnl_rule *r; struct nftnl_rule_iter *iter; @@ -2455,9 +2452,20 @@ nft_rule_find(struct nft_handle *h, struct nft_chain *nc, if (iter == NULL) return 0; + if (h->ops->init_cs) + h->ops->init_cs(&cs); + + if (!h->ops->rule_to_cs(h, rule, &cs)) + return NULL; + + DEBUGP("comparing ... "); +#ifdef DEBUG_DEL + nft_rule_print_save(h, rule, NFT_RULE_APPEND, 0); +#endif + r = nftnl_rule_iter_next(iter); while (r != NULL) { - found = nft_rule_cmp(h, r, rule); + found = nft_rule_cmp(h, r, &cs); if (found) break; r = nftnl_rule_iter_next(iter); @@ -2465,6 +2473,8 @@ nft_rule_find(struct nft_handle *h, struct nft_chain *nc, nftnl_rule_iter_destroy(iter); + h->ops->clear_cs(&cs); + return found ? r : NULL; } From patchwork Wed Jul 31 22:26:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1967341 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=clsuy/wQ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3136-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZ6D61n9jz1yZv for ; Thu, 1 Aug 2024 08:27:34 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id BC3B01F2283E for ; Wed, 31 Jul 2024 22:27:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 98CB116DC03; Wed, 31 Jul 2024 22:27:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="clsuy/wQ" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ADD3616D9C8 for ; Wed, 31 Jul 2024 22:27:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464835; cv=none; b=U6ikWDgmwrlzlXsV1lG+qr7OwMK6O+XVW5NAZku6mjCEmGNp3o7VivzWuZcid7ufIuHy1ChVUTYGuaKXwoPjY6pH/FPOs58iAdm85GKIb5b1xMY8YxGkxeI3x+XLyzIR1aw88IoP1XwOlsmHTzesIV0ZVFa5dRTS2N/FS5EABog= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464835; c=relaxed/simple; bh=ypSLtoMu7wkYxMeMaK77c/TcduDtFG8TIpZYWQSr4uo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HzxYr7xwElv4dwsKf9bzUmuDjFSIZeu83VfUUbHCHjrQ/GJ4zxEN+FbeaR1uBYaXB0n4TEgnBDKT2xEcvPeVfWV+GQ8aOZGI3TCsgYOv+DPQ7RNztW32KZBhM3HsgFMhtk40YdrWLZFXMIYe87QC0veIbIboFaijr54qthob7uA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=clsuy/wQ; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=TsZ1H4vD9A+wuRMAnzbw8NVf1fActLj4IuYHulNq53E=; b=clsuy/wQN4MC3vfboTxKCftOa0 Xf1p0UfOl7raUVZnyNVbJmdNMifkSzVmqLRqHvNW0pjKp14f9fMABD4F1Z4TBCarH+uLXS+75WQh0 af3aQEa7kV04CYJ0lE+WhyHL6QQ9Hhq8NuADbC37/9E3MJN/xviiYC5zoaL6TlOwrKaMmwDcs8bJA PDQ0CKSvV8ogTBpirvn5XhnCozDQQ5S3KLC0Mzk+DbCOPePou58pNJrzekSwZStQ+ksNE3LbLqrBF 3xd9Jxni7iXFEfMZM6kyzSBIAikju/BihArqwXpzbvXl0bYPWbuLKFuDy5f32Bz7VPd/vtPXUXqYi RBMLnTXA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sZHmp-000000003iz-3i2P; Thu, 01 Aug 2024 00:27:11 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso , Jan Engelhardt Subject: [iptables PATCH 4/8] nft: ruleparse: Drop 'iter' variable in nft_rule_to_iptables_command_state Date: Thu, 1 Aug 2024 00:26:59 +0200 Message-ID: <20240731222703.22741-5-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240731222703.22741-1-phil@nwl.cc> References: <20240731222703.22741-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Use the same named field in 'ctx' instead, it has to carry the value anyway. Signed-off-by: Phil Sutter --- iptables/nft-ruleparse.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c index 3b1cbe4fa1499..1ee7a94db59de 100644 --- a/iptables/nft-ruleparse.c +++ b/iptables/nft-ruleparse.c @@ -891,7 +891,6 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h, const struct nftnl_rule *r, struct iptables_command_state *cs) { - struct nftnl_expr_iter *iter; struct nftnl_expr *expr; struct nft_xt_ctx ctx = { .cs = cs, @@ -900,12 +899,11 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h, }; bool ret = true; - iter = nftnl_expr_iter_create(r); - if (iter == NULL) + ctx.iter = nftnl_expr_iter_create(r); + if (ctx.iter == NULL) return false; - ctx.iter = iter; - expr = nftnl_expr_iter_next(iter); + expr = nftnl_expr_iter_next(ctx.iter); while (expr != NULL) { const char *name = nftnl_expr_get_str(expr, NFTNL_EXPR_NAME); @@ -941,10 +939,10 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h, ret = false; } - expr = nftnl_expr_iter_next(iter); + expr = nftnl_expr_iter_next(ctx.iter); } - nftnl_expr_iter_destroy(iter); + nftnl_expr_iter_destroy(ctx.iter); if (nftnl_rule_is_set(r, NFTNL_RULE_USERDATA)) { const void *data; From patchwork Wed Jul 31 22:27:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1967338 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Vvq+pmnb; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3134-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZ6D15SlMz1ydq for ; Thu, 1 Aug 2024 08:27:29 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 3DC6DB21E1A for ; Wed, 31 Jul 2024 22:27:29 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 239B416D9DE; Wed, 31 Jul 2024 22:27:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="Vvq+pmnb" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4E2BF16D9A8 for ; Wed, 31 Jul 2024 22:27:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464833; cv=none; b=nTyc3xG5epPyztbedEGvgK8Ga+IIIVCgg7bHt6dAoGEl9CrjgA87pcgGbEWO/+LBuDwdx50UpZuG0mvQu7EKCITC/K7qfA1NRXroSeRea5sfxIHdyl3KdnyTn3NNmy38tPTnwPbqHLlM4jZllsywNTwx376Qlu3UYf1HxAiJ94M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464833; c=relaxed/simple; bh=Uy/rlPF7B1O9eNM6l9sFjEK1FJ5t1EJL3HUC3RLHkuY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=F8uuWTzPGETTANWK/m2glG17+CIL1D9Uoqnwu0ZUtDB9cq7bSmRvR/Z3feQNsZ+oGGKUvDOmVCD/AdkkPCcOTwl9PHjjrShuxNdvEk55wsVPQb/ZkjxeIPIemjjieLC9OEh/PP3KKWyBlUNruDK+AlglOV0RvexzJjyDTJ6ZVQk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=Vvq+pmnb; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=h6xw4ZNlwE5iIF1GTF0lmThD8c0bnmXsYszid0siSPE=; b=Vvq+pmnbWHGD78lOquODQBl7Fr RkpwZf1GqwZP72knV645lW64VRFSGXcENEHjhYOqaoJ9+0U6ZHDhLhhlLp+oLZXxDYTWIfzfnG2vI gvKnE7EL9N/okJqfRFXwJ3pJ6MCX1gHYLZRJ0XhQYPU6GSdmpyLJ+Qo56JTwdeFK6QymQT2De5/Mi 1ckFWrZwLwk7584T2yZpi5/4V1MTMfCV8skIWdkisv7pKJIA2yl7XEHapMhPLCo8dBavnvfg1VPRv N1KpOU/x+UUiqQJXIf3bpD7X4w9+SaCVwBNdIhhGhmXy7zwXy++o0xOeOPCDWJD71VzwGQvVZnXN+ lqzu0+QQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sZHmo-000000003iq-3BMy; Thu, 01 Aug 2024 00:27:10 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso , Jan Engelhardt Subject: [iptables PATCH 5/8] nft: ruleparse: Introduce nft_parse_rule_expr() Date: Thu, 1 Aug 2024 00:27:00 +0200 Message-ID: <20240731222703.22741-6-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240731222703.22741-1-phil@nwl.cc> References: <20240731222703.22741-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Extract the parsing of one expression into a separate function and export it, preparing for following code changes. Signed-off-by: Phil Sutter --- iptables/nft-ruleparse.c | 73 ++++++++++++++++++++++------------------ iptables/nft-ruleparse.h | 4 +++ 2 files changed, 44 insertions(+), 33 deletions(-) diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c index 1ee7a94db59de..757d3c29fc816 100644 --- a/iptables/nft-ruleparse.c +++ b/iptables/nft-ruleparse.c @@ -887,6 +887,45 @@ static void nft_parse_range(struct nft_xt_ctx *ctx, struct nftnl_expr *e) } } +bool nft_parse_rule_expr(struct nft_handle *h, + struct nftnl_expr *expr, + struct nft_xt_ctx *ctx) +{ + const char *name = nftnl_expr_get_str(expr, NFTNL_EXPR_NAME); + + if (strcmp(name, "counter") == 0) + nft_parse_counter(expr, &ctx->cs->counters); + else if (strcmp(name, "payload") == 0) + nft_parse_payload(ctx, expr); + else if (strcmp(name, "meta") == 0) + nft_parse_meta(ctx, expr); + else if (strcmp(name, "bitwise") == 0) + nft_parse_bitwise(ctx, expr); + else if (strcmp(name, "cmp") == 0) + nft_parse_cmp(ctx, expr); + else if (strcmp(name, "immediate") == 0) + nft_parse_immediate(ctx, expr); + else if (strcmp(name, "match") == 0) + nft_parse_match(ctx, expr); + else if (strcmp(name, "target") == 0) + nft_parse_target(ctx, expr); + else if (strcmp(name, "limit") == 0) + nft_parse_limit(ctx, expr); + else if (strcmp(name, "lookup") == 0) + nft_parse_lookup(ctx, h, expr); + else if (strcmp(name, "log") == 0) + nft_parse_log(ctx, expr); + else if (strcmp(name, "range") == 0) + nft_parse_range(ctx, expr); + + if (ctx->errmsg) { + fprintf(stderr, "Error: %s\n", ctx->errmsg); + ctx->errmsg = NULL; + return false; + } + return true; +} + bool nft_rule_to_iptables_command_state(struct nft_handle *h, const struct nftnl_rule *r, struct iptables_command_state *cs) @@ -905,40 +944,8 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h, expr = nftnl_expr_iter_next(ctx.iter); while (expr != NULL) { - const char *name = - nftnl_expr_get_str(expr, NFTNL_EXPR_NAME); - - if (strcmp(name, "counter") == 0) - nft_parse_counter(expr, &ctx.cs->counters); - else if (strcmp(name, "payload") == 0) - nft_parse_payload(&ctx, expr); - else if (strcmp(name, "meta") == 0) - nft_parse_meta(&ctx, expr); - else if (strcmp(name, "bitwise") == 0) - nft_parse_bitwise(&ctx, expr); - else if (strcmp(name, "cmp") == 0) - nft_parse_cmp(&ctx, expr); - else if (strcmp(name, "immediate") == 0) - nft_parse_immediate(&ctx, expr); - else if (strcmp(name, "match") == 0) - nft_parse_match(&ctx, expr); - else if (strcmp(name, "target") == 0) - nft_parse_target(&ctx, expr); - else if (strcmp(name, "limit") == 0) - nft_parse_limit(&ctx, expr); - else if (strcmp(name, "lookup") == 0) - nft_parse_lookup(&ctx, h, expr); - else if (strcmp(name, "log") == 0) - nft_parse_log(&ctx, expr); - else if (strcmp(name, "range") == 0) - nft_parse_range(&ctx, expr); - - if (ctx.errmsg) { - fprintf(stderr, "Error: %s\n", ctx.errmsg); - ctx.errmsg = NULL; + if (!nft_parse_rule_expr(h, expr, &ctx)) ret = false; - } - expr = nftnl_expr_iter_next(ctx.iter); } diff --git a/iptables/nft-ruleparse.h b/iptables/nft-ruleparse.h index 62c9160d77711..0377e4ae17a6e 100644 --- a/iptables/nft-ruleparse.h +++ b/iptables/nft-ruleparse.h @@ -133,4 +133,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, int nft_parse_hl(struct nft_xt_ctx *ctx, struct nftnl_expr *e, struct iptables_command_state *cs); +bool nft_parse_rule_expr(struct nft_handle *h, + struct nftnl_expr *expr, + struct nft_xt_ctx *ctx); + #endif /* _NFT_RULEPARSE_H_ */ From patchwork Wed Jul 31 22:27:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1967335 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=HngpdefX; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3129-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZ6Ct0ktRz1yZv for ; Thu, 1 Aug 2024 08:27:22 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 8C5DC1F227B6 for ; Wed, 31 Jul 2024 22:27:19 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 051D716D9B0; Wed, 31 Jul 2024 22:27:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="HngpdefX" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2436E14B097 for ; Wed, 31 Jul 2024 22:27:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464832; cv=none; b=aZ3AlnQPanTu2Oy2RB3N8p3BGx7kBgAMeGxlTmx31qCKYHlsRnmJB+MELd6IqnwCPRpSvZg2Qp4VSR0BeI8lE8pGzXnZ14i3u1JpdJrJuOMWTu6w6jllDKOIyZoQTL2iPUnPnK/wZdBz54vV5hyjBJkD0g0Sf79TqlMTOVND3xI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464832; c=relaxed/simple; bh=hNVv1WAdIl4hZiAQECAQ3MvXxkcQNKN8lwlbO2isU7s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=r2Fu6ipSBcbXpJLdjm09cyjCSMsVM+GN87zLgOfyEncCYgB+9qM9+ik5qZxEMFAgM6/w6ADmXuvOTwJzHTNyLKCccWC2N5tU3WdT+obU5sA+pNseeeMg3w25nNh8sZi0gXd/t8GiRkcaHUNWzBghEaLmPodXxdD/PmH+te3/V+Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=HngpdefX; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=P21l59OpNMDw9+GkcleATfuQLKiXneVJll1Hs8aam9o=; b=HngpdefXvjGa3VBrhM4OjpFetx t5dWAT9JASRo76lVK1d4aagetB0mwHiQGBsJ4TDiSHj05uTuMs6O+IZjtcjpcv+s+TYIwRrVuGpfa pSEMwLqXEyaOsa9P0VsIC27N4X0H1boPIqXdvaTfr0bfTYHYc8kYj+y3r+tMnrFFqMt03xbdLClxM qUIFfUTrdoya8c0U3gYENsBeUkU5Pq/Vf1R4DIlaZuIIIqghaNaWJvjAX99ZaVymMzigUlQx3RMFY 3f41amenALL52WwpDQXl3zZpU0aXj3CkXacXYh9KWLEV9DbD4igq9PjsZERe85QsyPsQtrdizuAUl EonjBGnA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sZHmk-000000003hz-3AEN; Thu, 01 Aug 2024 00:27:06 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso , Jan Engelhardt Subject: [iptables PATCH 6/8] nft: __add_{match,target}() can't fail Date: Thu, 1 Aug 2024 00:27:01 +0200 Message-ID: <20240731222703.22741-7-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240731222703.22741-1-phil@nwl.cc> References: <20240731222703.22741-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 These functions either call xtables_error() which terminates the process or succeed - make them return void. While at it, export them as rule parsing code will call them in future. Also make input parameter const, they're not supposed to alter extension data. Signed-off-by: Phil Sutter --- iptables/nft.c | 28 ++++++++++------------------ iptables/nft.h | 2 ++ 2 files changed, 12 insertions(+), 18 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index 88be5ede5171d..cabcc884b4069 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1034,7 +1034,7 @@ int nft_chain_set(struct nft_handle *h, const char *table, return 1; } -static int __add_match(struct nftnl_expr *e, struct xt_entry_match *m) +void __add_match(struct nftnl_expr *e, const struct xt_entry_match *m) { void *info; @@ -1044,8 +1044,6 @@ static int __add_match(struct nftnl_expr *e, struct xt_entry_match *m) info = xtables_calloc(1, m->u.match_size); memcpy(info, m->data, m->u.match_size - sizeof(*m)); nftnl_expr_set(e, NFTNL_EXPR_MT_INFO, info, m->u.match_size - sizeof(*m)); - - return 0; } static int add_nft_limit(struct nftnl_rule *r, struct xt_entry_match *m) @@ -1378,11 +1376,10 @@ static int add_nft_udp(struct nft_handle *h, struct nftnl_rule *r, if (udp->invflags > XT_UDP_INV_MASK || udp_all_zero(udp)) { struct nftnl_expr *expr = nftnl_expr_alloc("match"); - int ret; - ret = __add_match(expr, m); + __add_match(expr, m); nftnl_rule_add_expr(r, expr); - return ret; + return 0; } if (nftnl_rule_get_u32(r, NFTNL_RULE_COMPAT_PROTO) != IPPROTO_UDP) @@ -1431,11 +1428,10 @@ static int add_nft_tcp(struct nft_handle *h, struct nftnl_rule *r, if (tcp->invflags & ~supported || tcp->option || tcp_all_zero(tcp)) { struct nftnl_expr *expr = nftnl_expr_alloc("match"); - int ret; - ret = __add_match(expr, m); + __add_match(expr, m); nftnl_rule_add_expr(r, expr); - return ret; + return 0; } if (nftnl_rule_get_u32(r, NFTNL_RULE_COMPAT_PROTO) != IPPROTO_TCP) @@ -1478,7 +1474,6 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, struct nftnl_rule *r, struct xt_entry_match *m) { struct nftnl_expr *expr; - int ret; switch (ctx->command) { case NFT_COMPAT_RULE_APPEND: @@ -1503,13 +1498,13 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, if (expr == NULL) return -ENOMEM; - ret = __add_match(expr, m); + __add_match(expr, m); nftnl_rule_add_expr(r, expr); - return ret; + return 0; } -static int __add_target(struct nftnl_expr *e, struct xt_entry_target *t) +void __add_target(struct nftnl_expr *e, const struct xt_entry_target *t) { void *info; @@ -1520,8 +1515,6 @@ static int __add_target(struct nftnl_expr *e, struct xt_entry_target *t) info = xtables_calloc(1, t->u.target_size); memcpy(info, t->data, t->u.target_size - sizeof(*t)); nftnl_expr_set(e, NFTNL_EXPR_TG_INFO, info, t->u.target_size - sizeof(*t)); - - return 0; } static int add_meta_nftrace(struct nftnl_rule *r) @@ -1549,7 +1542,6 @@ static int add_meta_nftrace(struct nftnl_rule *r) int add_target(struct nftnl_rule *r, struct xt_entry_target *t) { struct nftnl_expr *expr; - int ret; if (strcmp(t->u.user.name, "TRACE") == 0) return add_meta_nftrace(r); @@ -1558,10 +1550,10 @@ int add_target(struct nftnl_rule *r, struct xt_entry_target *t) if (expr == NULL) return -ENOMEM; - ret = __add_target(expr, t); + __add_target(expr, t); nftnl_rule_add_expr(r, expr); - return ret; + return 0; } int add_jumpto(struct nftnl_rule *r, const char *name, int verdict) diff --git a/iptables/nft.h b/iptables/nft.h index 8f17f3100a190..54fe5210ad1ac 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -192,8 +192,10 @@ bool nft_rule_is_policy_rule(struct nftnl_rule *r); */ int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes); int add_verdict(struct nftnl_rule *r, int verdict); +void __add_match(struct nftnl_expr *e, const struct xt_entry_match *m); int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, struct nftnl_rule *r, struct xt_entry_match *m); +void __add_target(struct nftnl_expr *e, const struct xt_entry_target *t); int add_target(struct nftnl_rule *r, struct xt_entry_target *t); int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); From patchwork Wed Jul 31 22:27:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1967340 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=KFFDarmv; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.48.161; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3135-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [147.75.48.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZ6D22nSgz1ydq for ; Thu, 1 Aug 2024 08:27:30 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 2EF4FB235B7 for ; Wed, 31 Jul 2024 22:27:30 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5B0ED16D9A8; Wed, 31 Jul 2024 22:27:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="KFFDarmv" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB64316D4D0 for ; Wed, 31 Jul 2024 22:27:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464833; cv=none; b=eGI2nsRkK/Zsxqtf2Wucuiap+wAGvKcdKutjZJ7GLkOJm4cIIfSWTbkvOcP0ykGo6NzmpAWcaMHLnMsAkfM1kozIV4z2BW9n1QIu5pwvEEamYQkpG0KbnL1xE1bTT0S2WbFgkzHVzseGm1Pfd3hN1UbO+zH1oCCA+bxWpkv7Q94= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464833; c=relaxed/simple; bh=G8mnnKWCS5fteAeMjTmJ0uBe1zansgTNyWL9H6dqvHM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=i/l7Yx+m9mfLortBKQhVz0w06/3FsnQp9Gp/YVmwXqeGRZdrqqfgk4wnhTUVlMqX4S59PVDyEJaqdUaO1xmCrr66q5UwGj1mSlNPEmxtBk96gpvNMf1Rfmj8RY8pmFnrOhgopTPXc3pgKluKtJsPYPpqEqdXl6zSSI9pHBA+YjQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=KFFDarmv; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=E9/YT/09w4PvdAlQJAKTvpIk8XD9N9aiMzcB6JCnQ+8=; b=KFFDarmvpuaQafYCvSc3CRThlU ja6eePc6LorB6EPsct5ttTRWYIVVNrJ9rHU45XmSVaukw+7veMmcWx7omtdPSBqZcw5OoyU8j4OsL /dnQao+/2GTfwEfV/zgWXZyfKbbHr1dJhOJ4SCsQtxqaR2eS8NQjy78GHcxw097ARLathgCzA8Xh/ SrD1fXLc6PPZrjqzFFqR2madcaavgFqUBbBXbC5Vm4RmEMUmZKLp4EyeVZYvTB7bdcYcDEb7xmbKW /x/u07hAepEAzcUFleCqUflG+GvghJpLgGfumiyk53Fht5229jsFk2l47LLmd1yOHHzqk5mIZFhrE 5ny4pylg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sZHmm-000000003iO-2DRn; Thu, 01 Aug 2024 00:27:08 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso , Jan Engelhardt Subject: [iptables PATCH 7/8] nft: Introduce UDATA_TYPE_COMPAT_EXT Date: Thu, 1 Aug 2024 00:27:02 +0200 Message-ID: <20240731222703.22741-8-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240731222703.22741-1-phil@nwl.cc> References: <20240731222703.22741-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This new rule udata attribute will contain extensions which have been converted to native nftables expressions for rule parsers to fall back to. While at it, export parse_udata_cb() as rule parsing code will call it in future. Signed-off-by: Phil Sutter --- iptables/nft.c | 11 +++-------- iptables/nft.h | 12 ++++++++++++ 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index cabcc884b4069..64ac35f2edcf3 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1668,14 +1668,7 @@ int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes) return 0; } -enum udata_type { - UDATA_TYPE_COMMENT, - UDATA_TYPE_EBTABLES_POLICY, - __UDATA_TYPE_MAX, -}; -#define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1) - -static int parse_udata_cb(const struct nftnl_udata *attr, void *data) +int parse_udata_cb(const struct nftnl_udata *attr, void *data) { unsigned char *value = nftnl_udata_get(attr); uint8_t type = nftnl_udata_type(attr); @@ -1689,6 +1682,8 @@ static int parse_udata_cb(const struct nftnl_udata *attr, void *data) break; case UDATA_TYPE_EBTABLES_POLICY: break; + case UDATA_TYPE_COMPAT_EXT: + break; default: return 0; } diff --git a/iptables/nft.h b/iptables/nft.h index 54fe5210ad1ac..d6424f499cfcf 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -276,4 +276,16 @@ void nft_assert_table_compatible(struct nft_handle *h, int ebt_set_user_chain_policy(struct nft_handle *h, const char *table, const char *chain, const char *policy); +struct nftnl_udata; + +enum udata_type { + UDATA_TYPE_COMMENT, + UDATA_TYPE_EBTABLES_POLICY, + UDATA_TYPE_COMPAT_EXT, + __UDATA_TYPE_MAX, +}; +#define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1) + +int parse_udata_cb(const struct nftnl_udata *attr, void *data); + #endif From patchwork Wed Jul 31 22:27:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1967339 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=ANGLEUxc; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3133-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZ6D159Nbz1yZv for ; Thu, 1 Aug 2024 08:27:29 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 93E0A1C21B6C for ; Wed, 31 Jul 2024 22:27:27 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1554816D9DA; Wed, 31 Jul 2024 22:27:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="ANGLEUxc" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E20B316D333 for ; Wed, 31 Jul 2024 22:27:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464833; cv=none; b=BBkyTXxNT9+X6uCV7AhYLfJF53WZotcvnn03zaa+Bqj/TTk0FlWSna4t7OLdFOulTkCMsSvLbm3UPi1iB//bGcZW8MMtQgVJJehb00bDvSxIFZu8Syes/AWPWsdvP+aLTj+0ow7M5naA9IO+nDLUq7lbKw7/KwvZ8TRN4xvZqOs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722464833; c=relaxed/simple; bh=H7IXfE+dIkWNgFxRDkpbw82A4FkJSh9aJ+FvQh/R8WY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VIPja4IjIg9CMLT8N/w9doxlRuV+zRxE5l+cAKXM7rHiJcPLpPyU1SRn1mnQQXUeB1laFd0Yo/gnUJIkpSi4IaFYZlAPVDBvGgadDLo/ZOFcRwUefyQlkuCydwXhaWMlb7g+2Pm96zcnYGkbadvESjpW1Bi7DUHpv0XdhT2z3b8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=ANGLEUxc; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=4gLRHQPZP7p1smcB+HX//PzsxhJJSCWT/YJN8tkJ6ts=; b=ANGLEUxcLX1Wta+dtFZ/g202Zs UcGIhklRcpeX0kOoSq46TwDbXXxqt7JffOHOcZm2VlvC59P3tp0oBWtFWb9EynM1ZIwP5oeEEhFxI TuxlQfsM3DnQyU4Te5BXKNUwOgI60eSiBjIQr2x9BqDTW/p//t7dWk6JSe/Sxx8zxWV5l72109HBP hibBoKk2AtxypMbQwRTE+sCq97Wak44/pKh5VOSUC8ub2BA8KMeHUKhGo8zR+tRz1ZfpLrJ9jPktj c+RCbWmBsTi442zlAzO8fRjKyAuB5bMSpRHxgD/fF9+qClkkRR3JOO0s8iC3RoTod4cc6OyqZwe/o IuqhIENQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sZHml-000000003iH-3gWf; Thu, 01 Aug 2024 00:27:08 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso , Jan Engelhardt Subject: [iptables RFC PATCH 8/8] nft: Support compat extensions in rule userdata Date: Thu, 1 Aug 2024 00:27:03 +0200 Message-ID: <20240731222703.22741-9-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240731222703.22741-1-phil@nwl.cc> References: <20240731222703.22741-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a mechanism providing forward compatibility for the current and future versions of iptables-nft (and all other nft-variants) by annotating nftnl rules with the extensions they were created for. Upon nftnl rule parsing failure, warn about the situation and perform a second attempt loading the respective compat extensions instead of the native expressions which replace them. The foundational assumption is that libxtables extensions are stable and thus the VM code created on their behalf does not need to be. Since nftnl rule userdata attributes are restricted to 255 bytes, the implementation focusses on low memory consumption. Therefore, extensions which remain in the rule as compat expressions are not also added to userdata. In turn, extensions in userdata are annotated by start and end expression number they are replacing. Also, the actual payload is zipped using zlib. Signed-off-by: Phil Sutter --- configure.ac | 9 ++ iptables/Makefile.am | 1 + iptables/nft-compat.c | 217 +++++++++++++++++++++++++++++++++++++++ iptables/nft-compat.h | 54 ++++++++++ iptables/nft-ruleparse.c | 21 ++++ iptables/nft.c | 39 +++++-- 6 files changed, 331 insertions(+), 10 deletions(-) create mode 100644 iptables/nft-compat.c create mode 100644 iptables/nft-compat.h diff --git a/configure.ac b/configure.ac index 2293702b17a47..a18df531953d6 100644 --- a/configure.ac +++ b/configure.ac @@ -77,6 +77,14 @@ AC_ARG_WITH([xt-lock-name], AS_HELP_STRING([--with-xt-lock-name=PATH], AC_ARG_ENABLE([profiling], AS_HELP_STRING([--enable-profiling], [build for use of gcov/gprof]), [enable_profiling="$enableval"], [enable_profiling="no"]) +AC_ARG_WITH([zlib], [AS_HELP_STRING([--without-zlib], + [Disable payload compression of rule compat expressions])], + [], [with_zlib=yes]) +AS_IF([test "x$with_zlib" != xno], [ + AC_CHECK_LIB([z], [compress], , + AC_MSG_ERROR([No suitable version of zlib found])) + AC_DEFINE([HAVE_ZLIB], [1], [Define if you have zlib]) +]) AC_MSG_CHECKING([whether $LD knows -Wl,--no-undefined]) saved_LDFLAGS="$LDFLAGS"; @@ -270,6 +278,7 @@ echo " nftables support: ${enable_nftables} connlabel support: ${enable_connlabel} profiling support: ${enable_profiling} + compress rule compat expressions: ${with_zlib} Build parameters: Put plugins into executable (static): ${enable_static} diff --git a/iptables/Makefile.am b/iptables/Makefile.am index 2007cd10260bd..4855c9a7c2911 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -57,6 +57,7 @@ xtables_nft_multi_SOURCES += nft.c nft.h \ nft-ruleparse-arp.c nft-ruleparse-bridge.c \ nft-ruleparse-ipv4.c nft-ruleparse-ipv6.c \ nft-shared.c nft-shared.h \ + nft-compat.c nft-compat.h \ xtables-monitor.c \ xtables.c xtables-arp.c xtables-eb.c \ xtables-standalone.c xtables-eb-standalone.c \ diff --git a/iptables/nft-compat.c b/iptables/nft-compat.c new file mode 100644 index 0000000000000..2e37dee6cdc43 --- /dev/null +++ b/iptables/nft-compat.c @@ -0,0 +1,217 @@ +#include "config.h" +#include "nft-compat.h" +#include "nft-ruleparse.h" +#include "nft.h" + +#include +#include +#include + +#ifdef HAVE_ZLIB +#include +#endif + +#include + +int nftnl_rule_expr_count(const struct nftnl_rule *r) +{ + struct nftnl_expr_iter *iter = nftnl_expr_iter_create(r); + int cnt = 0; + + if (!iter) + return -1; + + while (nftnl_expr_iter_next(iter)) + cnt++; + + nftnl_expr_iter_destroy(iter); + return cnt; +} + +static struct rule_udata_ext * +__rule_get_udata_ext(const void *data, uint32_t data_len, uint32_t *outlen) +{ + const struct nftnl_udata *tb[UDATA_TYPE_MAX + 1] = {}; + + if (nftnl_udata_parse(data, data_len, parse_udata_cb, tb) < 0) + return NULL; + + if (!tb[UDATA_TYPE_COMPAT_EXT]) + return NULL; + + if (outlen) + *outlen = nftnl_udata_len(tb[UDATA_TYPE_COMPAT_EXT]); + return nftnl_udata_get(tb[UDATA_TYPE_COMPAT_EXT]); +} + +struct rule_udata_ext * +rule_get_udata_ext(const struct nftnl_rule *r, uint32_t *outlen) +{ + struct nftnl_udata_buf *udata; + uint32_t udatalen; + + udata = (void *)nftnl_rule_get_data(r, NFTNL_RULE_USERDATA, &udatalen); + if (!udata) + return NULL; + + return __rule_get_udata_ext(udata, udatalen, outlen); +} + +static void +pack_rule_udata_ext_data(struct rule_udata_ext *rue, + const void *data, size_t datalen) +{ + size_t datalen_out = datalen; +#ifdef HAVE_ZLIB + compress(rue->data, &datalen_out, data, datalen); + rue->zip = true; +#else + memcpy(rue->data, data, datalen); +#endif + rue->size = datalen_out; +} + +void rule_add_udata_ext(struct nftnl_rule *r, + uint16_t start_idx, uint16_t end_idx, + uint8_t type, uint16_t size, const void *data) +{ + struct rule_udata_ext *ext = NULL; + uint32_t extlen = 0, newextlen; + char *newext; + void *udata; + + ext = rule_get_udata_ext(r, &extlen); + if (!ext) + extlen = 0; + + udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN); + if (!udata) + xtables_error(OTHER_PROBLEM, "can't alloc memory!"); + + newextlen = sizeof(*ext) + size; + newext = xtables_malloc(extlen + newextlen); + if (extlen) + memcpy(newext, ext, extlen); + memset(newext + extlen, 0, newextlen); + + ext = (struct rule_udata_ext *)(newext + extlen); + ext->start_idx = start_idx; + ext->end_idx = end_idx; + ext->type = type; + ext->orig_size = size; + pack_rule_udata_ext_data(ext, data, size); + newextlen = sizeof(*ext) + ext->size; + + if (!nftnl_udata_put(udata, UDATA_TYPE_COMPAT_EXT, + extlen + newextlen, newext) || + nftnl_rule_set_data(r, NFTNL_RULE_USERDATA, + nftnl_udata_buf_data(udata), + nftnl_udata_buf_len(udata))) + xtables_error(OTHER_PROBLEM, "can't alloc memory!"); + + free(newext); + nftnl_udata_buf_free(udata); +} + +static struct nftnl_expr * +__nftnl_expr_from_udata_ext(struct rule_udata_ext *rue, const void *data) +{ + struct nftnl_expr *expr = NULL; + + switch (rue->type) { + case RUE_TYPE_MATCH: + expr = nftnl_expr_alloc("match"); + __add_match(expr, data); + break; + case RUE_TYPE_TARGET: + expr = nftnl_expr_alloc("target"); + __add_target(expr, data); + break; + default: + fprintf(stderr, + "Warning: Unexpected udata extension type %d\n", + rue->type); + } + + return expr; +} + +static struct nftnl_expr * +nftnl_expr_from_zipped_udata_ext(struct rule_udata_ext *rue) +{ +#ifdef HAVE_ZLIB + uLongf datalen = rue->orig_size; + struct nftnl_expr *expr = NULL; + void *data; + + data = xtables_malloc(datalen); + if (uncompress(data, &datalen, rue->data, rue->size) != Z_OK) { + fprintf(stderr, "Warning: Failed to uncompress rule udata extension\n"); + goto out; + } + + expr = __nftnl_expr_from_udata_ext(rue, data); +out: + free(data); + return expr; +#else + fprintf(stderr, "Warning: Zipped udata extensions are not supported.\n"); + return NULL; +#endif +} + +static struct nftnl_expr *nftnl_expr_from_udata_ext(struct rule_udata_ext *rue) +{ + if (rue->zip) + return nftnl_expr_from_zipped_udata_ext(rue); + else + return __nftnl_expr_from_udata_ext(rue, rue->data); +} + +bool rule_has_udata_ext(const struct nftnl_rule *r) +{ + return rule_get_udata_ext(r, NULL) != NULL; +} + +#define rule_udata_ext_foreach(rue, ext, extlen) \ + for (rue = (void *)(ext); \ + (char *)rue < (char *)(ext) + extlen; \ + rue = (void *)((char *)rue + sizeof(*rue) + rue->size)) + +bool rule_parse_udata_ext(struct nft_xt_ctx *ctx, const struct nftnl_rule *r) +{ + struct rule_udata_ext *rue; + struct nftnl_expr *expr; + uint32_t extlen; + bool ret = true; + int eidx = 0; + void *ext; + + ext = rule_get_udata_ext(r, &extlen); + if (!ext) + return false; + + rule_udata_ext_foreach(rue, ext, extlen) { + for (; eidx < rue->start_idx; eidx++) { + expr = nftnl_expr_iter_next(ctx->iter); + if (!nft_parse_rule_expr(ctx->h, expr, ctx)) + ret = false; + } + + expr = nftnl_expr_from_udata_ext(rue); + if (!nft_parse_rule_expr(ctx->h, expr, ctx)) + ret = false; + nftnl_expr_free(expr); + + for (; eidx < rue->end_idx; eidx++) + nftnl_expr_iter_next(ctx->iter); + } + expr = nftnl_expr_iter_next(ctx->iter); + while (expr != NULL) { + if (!nft_parse_rule_expr(ctx->h, expr, ctx)) + ret = false; + expr = nftnl_expr_iter_next(ctx->iter); + } + return ret; +} + diff --git a/iptables/nft-compat.h b/iptables/nft-compat.h new file mode 100644 index 0000000000000..e91e2299bd2ae --- /dev/null +++ b/iptables/nft-compat.h @@ -0,0 +1,54 @@ +#ifndef _NFT_COMPAT_H_ +#define _NFT_COMPAT_H_ + +#include + +#include + +int nftnl_rule_expr_count(const struct nftnl_rule *r); + +enum rule_udata_ext_type { + RUE_TYPE_MATCH = 0, + RUE_TYPE_TARGET = 1, +}; + +struct rule_udata_ext { + uint8_t start_idx; + uint8_t end_idx; + uint8_t type; + uint8_t zip:1; + uint16_t orig_size; + uint16_t size; + unsigned char data[]; +}; + +struct rule_udata_ext * +rule_get_udata_ext(const struct nftnl_rule *r, uint32_t *outlen); + +void rule_add_udata_ext(struct nftnl_rule *r, + uint16_t start_idx, uint16_t end_idx, + uint8_t type, uint16_t size, const void *data); +static inline void +rule_add_udata_match(struct nftnl_rule *r, + uint16_t start_idx, uint16_t end_idx, + const struct xt_entry_match *m) +{ + rule_add_udata_ext(r, start_idx, end_idx, + RUE_TYPE_MATCH, m->u.match_size, m); +} + +static inline void +rule_add_udata_target(struct nftnl_rule *r, + uint16_t start_idx, uint16_t end_idx, + const struct xt_entry_target *t) +{ + rule_add_udata_ext(r, start_idx, end_idx, + RUE_TYPE_TARGET, t->u.target_size, t); +} + +struct nft_xt_ctx; + +bool rule_has_udata_ext(const struct nftnl_rule *r); +bool rule_parse_udata_ext(struct nft_xt_ctx *ctx, const struct nftnl_rule *r); + +#endif /* _NFT_COMPAT_H_ */ diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c index 757d3c29fc816..b58e16fff45cd 100644 --- a/iptables/nft-ruleparse.c +++ b/iptables/nft-ruleparse.c @@ -10,6 +10,7 @@ * This code has been sponsored by Sophos Astaro */ +#include "config.h" #include #include #include @@ -27,6 +28,7 @@ #include +#include "nft-compat.h" #include "nft-ruleparse.h" #include "nft.h" @@ -948,6 +950,25 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h, ret = false; expr = nftnl_expr_iter_next(ctx.iter); } +#ifdef DEBUG_COMPAT_EXT + if (rule_has_udata_ext(r)) + ret = false; +#endif + if (!ret && rule_has_udata_ext(r)) { + fprintf(stderr, + "Warning: Rule parser failed, trying compat fallback\n"); + + h->ops->clear_cs(cs); + if (h->ops->init_cs) + h->ops->init_cs(cs); + + nftnl_expr_iter_destroy(ctx.iter); + ctx.iter = nftnl_expr_iter_create(r); + if (!ctx.iter) + return false; + + ret = rule_parse_udata_ext(&ctx, r); + } nftnl_expr_iter_destroy(ctx.iter); diff --git a/iptables/nft.c b/iptables/nft.c index 64ac35f2edcf3..de20d9714695f 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -9,6 +9,7 @@ * This code has been sponsored by Sophos Astaro */ +#include "config.h" #include #include #include @@ -60,6 +61,7 @@ #include "nft-cache.h" #include "nft-shared.h" #include "nft-bridge.h" /* EBT_NOPROTO */ +#include "nft-compat.h" static void *nft_fn; @@ -1049,6 +1051,7 @@ void __add_match(struct nftnl_expr *e, const struct xt_entry_match *m) static int add_nft_limit(struct nftnl_rule *r, struct xt_entry_match *m) { struct xt_rateinfo *rinfo = (void *)m->data; + int i, ecnt = nftnl_rule_expr_count(r); static const uint32_t mult[] = { XT_LIMIT_SCALE*24*60*60, /* day */ XT_LIMIT_SCALE*60*60, /* hour */ @@ -1056,7 +1059,8 @@ static int add_nft_limit(struct nftnl_rule *r, struct xt_entry_match *m) XT_LIMIT_SCALE, /* sec */ }; struct nftnl_expr *expr; - int i; + + rule_add_udata_match(r, ecnt, ecnt + 1, m); expr = nftnl_expr_alloc("limit"); if (!expr) @@ -1371,6 +1375,7 @@ static bool udp_all_zero(const struct xt_udp *u) static int add_nft_udp(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m) { + int ret, ecnt = nftnl_rule_expr_count(r); struct xt_udp *udp = (void *)m->data; if (udp->invflags > XT_UDP_INV_MASK || @@ -1385,8 +1390,12 @@ static int add_nft_udp(struct nft_handle *h, struct nftnl_rule *r, if (nftnl_rule_get_u32(r, NFTNL_RULE_COMPAT_PROTO) != IPPROTO_UDP) xtables_error(PARAMETER_PROBLEM, "UDP match requires '-p udp'"); - return add_nft_tcpudp(h, r, udp->spts, udp->invflags & XT_UDP_INV_SRCPT, - udp->dpts, udp->invflags & XT_UDP_INV_DSTPT); + ret = add_nft_tcpudp(h, r, udp->spts, udp->invflags & XT_UDP_INV_SRCPT, + udp->dpts, udp->invflags & XT_UDP_INV_DSTPT); + + rule_add_udata_match(r, ecnt, nftnl_rule_expr_count(r), m); + + return ret; } static int add_nft_tcpflags(struct nft_handle *h, struct nftnl_rule *r, @@ -1423,6 +1432,7 @@ static int add_nft_tcp(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m) { static const uint8_t supported = XT_TCP_INV_SRCPT | XT_TCP_INV_DSTPT | XT_TCP_INV_FLAGS; + int ret, ecnt = nftnl_rule_expr_count(r); struct xt_tcp *tcp = (void *)m->data; if (tcp->invflags & ~supported || tcp->option || @@ -1438,23 +1448,27 @@ static int add_nft_tcp(struct nft_handle *h, struct nftnl_rule *r, xtables_error(PARAMETER_PROBLEM, "TCP match requires '-p tcp'"); if (tcp->flg_mask) { - int ret = add_nft_tcpflags(h, r, tcp->flg_cmp, tcp->flg_mask, - tcp->invflags & XT_TCP_INV_FLAGS); + ret = add_nft_tcpflags(h, r, tcp->flg_cmp, tcp->flg_mask, + tcp->invflags & XT_TCP_INV_FLAGS); if (ret < 0) return ret; } - return add_nft_tcpudp(h, r, tcp->spts, tcp->invflags & XT_TCP_INV_SRCPT, - tcp->dpts, tcp->invflags & XT_TCP_INV_DSTPT); + ret = add_nft_tcpudp(h, r, tcp->spts, tcp->invflags & XT_TCP_INV_SRCPT, + tcp->dpts, tcp->invflags & XT_TCP_INV_DSTPT); + + rule_add_udata_match(r, ecnt, nftnl_rule_expr_count(r), m); + + return ret; } static int add_nft_mark(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m) { struct xt_mark_mtinfo1 *mark = (void *)m->data; + int op, ecnt = nftnl_rule_expr_count(r); uint8_t reg; - int op; add_meta(h, r, NFT_META_MARK, ®); if (mark->mask != 0xffffffff) @@ -1467,6 +1481,8 @@ static int add_nft_mark(struct nft_handle *h, struct nftnl_rule *r, add_cmp_u32(r, mark->mark, op, reg); + rule_add_udata_match(r, ecnt, nftnl_rule_expr_count(r), m); + return 0; } @@ -1517,10 +1533,13 @@ void __add_target(struct nftnl_expr *e, const struct xt_entry_target *t) nftnl_expr_set(e, NFTNL_EXPR_TG_INFO, info, t->u.target_size - sizeof(*t)); } -static int add_meta_nftrace(struct nftnl_rule *r) +static int add_meta_nftrace(struct nftnl_rule *r, struct xt_entry_target *t) { + int ecnt = nftnl_rule_expr_count(r); struct nftnl_expr *expr; + rule_add_udata_target(r, ecnt, ecnt + 2, t); + expr = nftnl_expr_alloc("immediate"); if (expr == NULL) return -ENOMEM; @@ -1544,7 +1563,7 @@ int add_target(struct nftnl_rule *r, struct xt_entry_target *t) struct nftnl_expr *expr; if (strcmp(t->u.user.name, "TRACE") == 0) - return add_meta_nftrace(r); + return add_meta_nftrace(r, t); expr = nftnl_expr_alloc("target"); if (expr == NULL)