tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'nf-next-23-07-27' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

Florian Westphal says:

====================
netfilter updates for net-next

1. silence a harmless warning for CONFIG_NF_CONNTRACK_PROCFS=n builds,
from Zhu Wang.

2, 3:
Allow NLA_POLICY_MASK to be used with BE16/BE32 types, and replace a few
manual checks with nla_policy based one in nf_tables, from myself.

4: cleanup in ctnetlink to validate while parsing rather than
using two steps, from Lin Ma.

5: refactor boyer-moore textsearch by moving a small chunk to
a helper function, rom Jeremy Sowden.

* tag 'nf-next-23-07-27' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
lib/ts_bm: add helper to reduce indentation and improve readability
netfilter: conntrack: validate cta_ip via parsing
netfilter: nf_tables: use NLA_POLICY_MASK to test for valid flag options
netlink: allow be16 and be32 types in all uint policy checks
nf_conntrack: fix -Wunused-const-variable=
====================

Link: https://lore.kernel.org/r/20230727133604.8275-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 5908a4c4 bb85e12f

+61 -51
+3 -7
include/net/netlink.h
··· 375 375 #define NLA_POLICY_BITFIELD32(valid) \ 376 376 { .type = NLA_BITFIELD32, .bitfield32_valid = valid } 377 377 378 - #define __NLA_IS_UINT_TYPE(tp) \ 379 - (tp == NLA_U8 || tp == NLA_U16 || tp == NLA_U32 || tp == NLA_U64) 378 + #define __NLA_IS_UINT_TYPE(tp) \ 379 + (tp == NLA_U8 || tp == NLA_U16 || tp == NLA_U32 || \ 380 + tp == NLA_U64 || tp == NLA_BE16 || tp == NLA_BE32) 380 381 #define __NLA_IS_SINT_TYPE(tp) \ 381 382 (tp == NLA_S8 || tp == NLA_S16 || tp == NLA_S32 || tp == NLA_S64) 382 - #define __NLA_IS_BEINT_TYPE(tp) \ 383 - (tp == NLA_BE16 || tp == NLA_BE32) 384 383 385 384 #define __NLA_ENSURE(condition) BUILD_BUG_ON_ZERO(!(condition)) 386 385 #define NLA_ENSURE_UINT_TYPE(tp) \ ··· 393 394 #define NLA_ENSURE_INT_OR_BINARY_TYPE(tp) \ 394 395 (__NLA_ENSURE(__NLA_IS_UINT_TYPE(tp) || \ 395 396 __NLA_IS_SINT_TYPE(tp) || \ 396 - __NLA_IS_BEINT_TYPE(tp) || \ 397 397 tp == NLA_MSECS || \ 398 398 tp == NLA_BINARY) + tp) 399 399 #define NLA_ENSURE_NO_VALIDATION_PTR(tp) \ ··· 400 402 tp != NLA_REJECT && \ 401 403 tp != NLA_NESTED && \ 402 404 tp != NLA_NESTED_ARRAY) + tp) 403 - #define NLA_ENSURE_BEINT_TYPE(tp) \ 404 - (__NLA_ENSURE(__NLA_IS_BEINT_TYPE(tp)) + tp) 405 405 406 406 #define NLA_POLICY_RANGE(tp, _min, _max) { \ 407 407 .type = NLA_ENSURE_INT_OR_BINARY_TYPE(tp), \
+6
lib/nlattr.c
··· 355 355 case NLA_U64: 356 356 value = nla_get_u64(nla); 357 357 break; 358 + case NLA_BE16: 359 + value = ntohs(nla_get_be16(nla)); 360 + break; 361 + case NLA_BE32: 362 + value = ntohl(nla_get_be32(nla)); 363 + break; 358 364 default: 359 365 return -EINVAL; 360 366 }
+28 -11
lib/ts_bm.c
··· 55 55 unsigned int good_shift[]; 56 56 }; 57 57 58 + static unsigned int matchpat(const u8 *pattern, unsigned int patlen, 59 + const u8 *text, bool icase) 60 + { 61 + unsigned int i; 62 + 63 + for (i = 0; i < patlen; i++) { 64 + u8 t = *(text-i); 65 + 66 + if (icase) 67 + t = toupper(t); 68 + 69 + if (t != *(pattern-i)) 70 + break; 71 + } 72 + 73 + return i; 74 + } 75 + 58 76 static unsigned int bm_find(struct ts_config *conf, struct ts_state *state) 59 77 { 60 78 struct ts_bm *bm = ts_config_priv(conf); ··· 90 72 break; 91 73 92 74 while (shift < text_len) { 93 - DEBUGP("Searching in position %d (%c)\n", 94 - shift, text[shift]); 95 - for (i = 0; i < bm->patlen; i++) 96 - if ((icase ? toupper(text[shift-i]) 97 - : text[shift-i]) 98 - != bm->pattern[bm->patlen-1-i]) 99 - goto next; 75 + DEBUGP("Searching in position %d (%c)\n", 76 + shift, text[shift]); 100 77 101 - /* London calling... */ 102 - DEBUGP("found!\n"); 103 - return consumed + (shift-(bm->patlen-1)); 78 + i = matchpat(&bm->pattern[bm->patlen-1], bm->patlen, 79 + &text[shift], icase); 80 + if (i == bm->patlen) { 81 + /* London calling... */ 82 + DEBUGP("found!\n"); 83 + return consumed + (shift-(bm->patlen-1)); 84 + } 104 85 105 - next: bs = bm->bad_shift[text[shift-i]]; 86 + bs = bm->bad_shift[text[shift-i]]; 106 87 107 88 /* Now jumping to... */ 108 89 shift = max_t(int, shift-i+bs, shift+bm->good_shift[i]);
+2 -6
net/netfilter/nf_conntrack_netlink.c
··· 1321 1321 struct nlattr *tb[CTA_IP_MAX+1]; 1322 1322 int ret = 0; 1323 1323 1324 - ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL); 1324 + ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, 1325 + cta_ip_nla_policy, NULL); 1325 1326 if (ret < 0) 1326 - return ret; 1327 - 1328 - ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX, 1329 - cta_ip_nla_policy, NULL); 1330 - if (ret) 1331 1327 return ret; 1332 1328 1333 1329 switch (tuple->src.l3num) {
+2
net/netfilter/nf_conntrack_proto_dccp.c
··· 69 69 70 70 #define DCCP_MSL (2 * 60 * HZ) 71 71 72 + #ifdef CONFIG_NF_CONNTRACK_PROCFS 72 73 static const char * const dccp_state_names[] = { 73 74 [CT_DCCP_NONE] = "NONE", 74 75 [CT_DCCP_REQUEST] = "REQUEST", ··· 82 81 [CT_DCCP_IGNORE] = "IGNORE", 83 82 [CT_DCCP_INVALID] = "INVALID", 84 83 }; 84 + #endif 85 85 86 86 #define sNO CT_DCCP_NONE 87 87 #define sRQ CT_DCCP_REQUEST
+9 -8
net/netfilter/nft_fib.c
··· 14 14 #include <net/netfilter/nf_tables.h> 15 15 #include <net/netfilter/nft_fib.h> 16 16 17 - const struct nla_policy nft_fib_policy[NFTA_FIB_MAX + 1] = { 18 - [NFTA_FIB_DREG] = { .type = NLA_U32 }, 19 - [NFTA_FIB_RESULT] = { .type = NLA_U32 }, 20 - [NFTA_FIB_FLAGS] = { .type = NLA_U32 }, 21 - }; 22 - EXPORT_SYMBOL(nft_fib_policy); 23 - 24 17 #define NFTA_FIB_F_ALL (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR | \ 25 18 NFTA_FIB_F_MARK | NFTA_FIB_F_IIF | NFTA_FIB_F_OIF | \ 26 19 NFTA_FIB_F_PRESENT) 20 + 21 + const struct nla_policy nft_fib_policy[NFTA_FIB_MAX + 1] = { 22 + [NFTA_FIB_DREG] = { .type = NLA_U32 }, 23 + [NFTA_FIB_RESULT] = { .type = NLA_U32 }, 24 + [NFTA_FIB_FLAGS] = 25 + NLA_POLICY_MASK(NLA_BE32, NFTA_FIB_F_ALL), 26 + }; 27 + EXPORT_SYMBOL(nft_fib_policy); 27 28 28 29 int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr, 29 30 const struct nft_data **data) ··· 78 77 79 78 priv->flags = ntohl(nla_get_be32(tb[NFTA_FIB_FLAGS])); 80 79 81 - if (priv->flags == 0 || (priv->flags & ~NFTA_FIB_F_ALL)) 80 + if (priv->flags == 0) 82 81 return -EINVAL; 83 82 84 83 if ((priv->flags & (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR)) ==
+2 -4
net/netfilter/nft_lookup.c
··· 90 90 [NFTA_LOOKUP_SET_ID] = { .type = NLA_U32 }, 91 91 [NFTA_LOOKUP_SREG] = { .type = NLA_U32 }, 92 92 [NFTA_LOOKUP_DREG] = { .type = NLA_U32 }, 93 - [NFTA_LOOKUP_FLAGS] = { .type = NLA_U32 }, 93 + [NFTA_LOOKUP_FLAGS] = 94 + NLA_POLICY_MASK(NLA_BE32, NFT_LOOKUP_F_INV), 94 95 }; 95 96 96 97 static int nft_lookup_init(const struct nft_ctx *ctx, ··· 120 119 121 120 if (tb[NFTA_LOOKUP_FLAGS]) { 122 121 flags = ntohl(nla_get_be32(tb[NFTA_LOOKUP_FLAGS])); 123 - 124 - if (flags & ~NFT_LOOKUP_F_INV) 125 - return -EINVAL; 126 122 127 123 if (flags & NFT_LOOKUP_F_INV) 128 124 priv->invert = true;
+3 -5
net/netfilter/nft_masq.c
··· 20 20 }; 21 21 22 22 static const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = { 23 - [NFTA_MASQ_FLAGS] = { .type = NLA_U32 }, 23 + [NFTA_MASQ_FLAGS] = 24 + NLA_POLICY_MASK(NLA_BE32, NF_NAT_RANGE_MASK), 24 25 [NFTA_MASQ_REG_PROTO_MIN] = { .type = NLA_U32 }, 25 26 [NFTA_MASQ_REG_PROTO_MAX] = { .type = NLA_U32 }, 26 27 }; ··· 48 47 struct nft_masq *priv = nft_expr_priv(expr); 49 48 int err; 50 49 51 - if (tb[NFTA_MASQ_FLAGS]) { 50 + if (tb[NFTA_MASQ_FLAGS]) 52 51 priv->flags = ntohl(nla_get_be32(tb[NFTA_MASQ_FLAGS])); 53 - if (priv->flags & ~NF_NAT_RANGE_MASK) 54 - return -EINVAL; 55 - } 56 52 57 53 if (tb[NFTA_MASQ_REG_PROTO_MIN]) { 58 54 err = nft_parse_register_load(tb[NFTA_MASQ_REG_PROTO_MIN],
+3 -5
net/netfilter/nft_nat.c
··· 132 132 [NFTA_NAT_REG_ADDR_MAX] = { .type = NLA_U32 }, 133 133 [NFTA_NAT_REG_PROTO_MIN] = { .type = NLA_U32 }, 134 134 [NFTA_NAT_REG_PROTO_MAX] = { .type = NLA_U32 }, 135 - [NFTA_NAT_FLAGS] = { .type = NLA_U32 }, 135 + [NFTA_NAT_FLAGS] = 136 + NLA_POLICY_MASK(NLA_BE32, NF_NAT_RANGE_MASK), 136 137 }; 137 138 138 139 static int nft_nat_validate(const struct nft_ctx *ctx, ··· 247 246 priv->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; 248 247 } 249 248 250 - if (tb[NFTA_NAT_FLAGS]) { 249 + if (tb[NFTA_NAT_FLAGS]) 251 250 priv->flags |= ntohl(nla_get_be32(tb[NFTA_NAT_FLAGS])); 252 - if (priv->flags & ~NF_NAT_RANGE_MASK) 253 - return -EOPNOTSUPP; 254 - } 255 251 256 252 return nf_ct_netns_get(ctx->net, family); 257 253 }
+3 -5
net/netfilter/nft_redir.c
··· 22 22 static const struct nla_policy nft_redir_policy[NFTA_REDIR_MAX + 1] = { 23 23 [NFTA_REDIR_REG_PROTO_MIN] = { .type = NLA_U32 }, 24 24 [NFTA_REDIR_REG_PROTO_MAX] = { .type = NLA_U32 }, 25 - [NFTA_REDIR_FLAGS] = { .type = NLA_U32 }, 25 + [NFTA_REDIR_FLAGS] = 26 + NLA_POLICY_MASK(NLA_BE32, NF_NAT_RANGE_MASK), 26 27 }; 27 28 28 29 static int nft_redir_validate(const struct nft_ctx *ctx, ··· 69 68 priv->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; 70 69 } 71 70 72 - if (tb[NFTA_REDIR_FLAGS]) { 71 + if (tb[NFTA_REDIR_FLAGS]) 73 72 priv->flags = ntohl(nla_get_be32(tb[NFTA_REDIR_FLAGS])); 74 - if (priv->flags & ~NF_NAT_RANGE_MASK) 75 - return -EINVAL; 76 - } 77 73 78 74 return nf_ct_netns_get(ctx->net, ctx->family); 79 75 }