tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nft_log: restrict the log prefix length to 127

First, log prefix will be truncated to NF_LOG_PREFIXLEN-1, i.e. 127,
at nf_log_packet(), so the extra part is useless.

Second, after adding a log rule with a very very long prefix, we will
fail to dump the nft rules after this _special_ one, but acctually,
they do exist. For example:
# name_65000=$(printf "%0.sQ" {1..65000})
# nft add rule filter output log prefix "$name_65000"
# nft add rule filter output counter
# nft add rule filter output counter
# nft list chain filter output
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
}
}

So now, restrict the log prefix length to NF_LOG_PREFIXLEN-1.

Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Liping Zhang and committed by
Pablo Neira Ayuso 5ce6b04c b2fbd044

+4 -2
+2
include/uapi/linux/netfilter/nf_log.h
··· 9 9 #define NF_LOG_MACDECODE 0x20 /* Decode MAC header */ 10 10 #define NF_LOG_MASK 0x2f 11 11 12 + #define NF_LOG_PREFIXLEN 128 13 + 12 14 #endif /* _NETFILTER_NF_LOG_H */
-1
net/netfilter/nf_log.c
··· 13 13 /* Internal logging interface, which relies on the real 14 14 LOG target modules */ 15 15 16 - #define NF_LOG_PREFIXLEN 128 17 16 #define NFLOGGER_NAME_LEN 64 18 17 19 18 static struct nf_logger __rcu *loggers[NFPROTO_NUMPROTO][NF_LOG_TYPE_MAX] __read_mostly;
+2 -1
net/netfilter/nft_log.c
··· 39 39 40 40 static const struct nla_policy nft_log_policy[NFTA_LOG_MAX + 1] = { 41 41 [NFTA_LOG_GROUP] = { .type = NLA_U16 }, 42 - [NFTA_LOG_PREFIX] = { .type = NLA_STRING }, 42 + [NFTA_LOG_PREFIX] = { .type = NLA_STRING, 43 + .len = NF_LOG_PREFIXLEN - 1 }, 43 44 [NFTA_LOG_SNAPLEN] = { .type = NLA_U32 }, 44 45 [NFTA_LOG_QTHRESHOLD] = { .type = NLA_U16 }, 45 46 [NFTA_LOG_LEVEL] = { .type = NLA_U32 },