Thread (11 messages) 11 messages, 3 authors, 2019-06-10

Re: [PATCH nf-next] netfilter: add support for matching IPv4 options

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: 2019-06-10 15:51:01
Also in: netfilter-devel 

On Sat, Jun 01, 2019 at 10:27:06PM -0400, Stephen Suryaputra wrote:
On Mon, Jun 03, 2019 at 02:30:06PM +0200, Pablo Neira Ayuso wrote:
quoted
quoted
I developed this patchset to suit my employer needs and there is no plan
for a follow up patchset, however I think non-zero offset might be useful
in the future for tunneled packets.
For tunneled traffic, we can store the network offset in the
nft_pktinfo object. Then, add a new extension to update this network
offset to point to the network offset inside the tunnel header, and
use this pkt->network_offset everywhere.
OK. I'm changing so that offset isn't being used as input. But, it's
still being passed as reference for output. See further response
below...
quoted
I think this new IPv4 options extension should use priv->offset to
match fields inside the IPv4 option specifically, just like in the
IPv6 extensions and TCP options do. If you look on how the
priv->offset is used in the existing code, this offset points to
values that the specific option field conveys.
I believe that's what I have coded:

	err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type, NULL, NULL);
	if (priv->flags & NFT_EXTHDR_F_PRESENT) {
		*dest = (err >= 0);
		return;
	} else if (err < 0) {
		goto err;
	}
	offset += priv->offset;

offset is returned as the offset where it matches the sought priv->type
then priv->offset is added to get to the right field between the offset.
I see, thanks for explaining.

I got me confused when I read this:

+ * Note that *offset is used as input/output parameter, and if it is not zero,
+ * then it must be a valid offset to an inner IPv4 header. This can be used
+ * to explore inner IPv4 header, eg. ICMP error messages.

I thought this is how the new extension for nftables is working. Not
the function.

And then, this chunk:

+       if (!offset)
+               return -EINVAL;

This never happens, right? offset is always set.

+       if (!*offset)
+               *offset = skb_network_offset(skb);

So this is not needed either.

I would remove those, you can add more code to ipv4_find_option()
later on as you get more clients in the networking tree. I'd suggest,
better remove code that is not used yet, then introduce it once
needed.

If this is satisfactory, I can submit v2 of the kernel patch.
Please do so, so you get more feedback (if needed) and we move on :-)

Thanks!
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help