[nft,0/8] rework dependency removal

Message ID	20171026230611.14269-1-fw@strlen.de
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Florian Westphal <fw@strlen.de> To: <netfilter-devel@vger.kernel.org> Subject: [PATCH nft 0/8] rework dependency removal Date: Fri, 27 Oct 2017 01:06:03 +0200 Message-Id: <20171026230611.14269-1-fw@strlen.de> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	rework dependency removal \| expand [nft,0/8] rework dependency removal [nft,1/8] tests: adjust output to silence warnings [nft,2/8] src: remove exthdr_dependency_kill [nft,3/8] src: add and use payload_dependency_update helper [nft,4/8] src: pass proto_ctx to payload_dependency_kill [nft,5/8] payload: add basic infrastructure to keep some dependencies [nft,6/8] payload: keep dependencies that enforce a specific l3 protocol [nft,7/8] payload: consider expression type during dependency removal [nft,8/8] tests: silence test case

Message ID

20171026230611.14269-1-fw@strlen.de

Headers

From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Subject: [PATCH nft 0/8] rework dependency removal
Date: Fri, 27 Oct 2017 01:06:03 +0200
Message-Id: <20171026230611.14269-1-fw@strlen.de>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

rework dependency removal | expand

Message

Florian Westphal Oct. 26, 2017, 11:06 p.m. UTC

This series resolves a few shortcomings with the current dependency
removal.

Problem is that the current approach sometimes can remove dependencies
that are required, i.e. where the removal does change the rule.

Examples:
inet t .. meta nfproto ipv6 tcp dport 22 or
inet t .. ip protocol tcp tcp dport 22
are reduced to 'tcp dport 22'.
ip6 nexthdr icmpv6 icmpv6 type echo-request
becomes 'ipv6 type echo-request' (which is not exactly the same,
the implicit dependency nft adds is 'meta l4proto', which skips
most extension headers).

I already pushed a couple of test cases to increase coverage.

These patches aim to fix those by making dependency removal more
strict.

The additional checks are only done in families other than ip and ipv6,
as those are already restricted to a particular l3 protocol.


 include/payload.h         |   14 +-
 include/utils.h           |    1 
 src/netlink.c             |   11 --
 src/netlink_delinearize.c |   27 +----
 src/payload.c             |  224 +++++++++++++++++++++++++++++++++++++++++-----
 tests/py/bridge/icmpX.t   |    4 
 tests/py/inet/icmpX.t     |    4 
 tests/py/inet/ip_tcp.t    |    4 
 8 files changed, 224 insertions(+), 65 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Pablo Neira Ayuso Oct. 27, 2017, 10:39 a.m. UTC | #1

On Fri, Oct 27, 2017 at 01:06:03AM +0200, Florian Westphal wrote:
> This series resolves a few shortcomings with the current dependency
> removal.
> 
> Problem is that the current approach sometimes can remove dependencies
> that are required, i.e. where the removal does change the rule.
> 
> Examples:
> inet t .. meta nfproto ipv6 tcp dport 22 or
> inet t .. ip protocol tcp tcp dport 22
> are reduced to 'tcp dport 22'.

OK, this is wrong, indeed.

> ip6 nexthdr icmpv6 icmpv6 type echo-request
> becomes 'ipv6 type echo-request' (which is not exactly the same,
> the implicit dependency nft adds is 'meta l4proto', which skips
> most extension headers).

This dependency removal is wrong too indeed and I agree it needs to be
fixed.

What I don't still is why patch 1/8 is expanding icmp type
echo-request to show explicit "ether type ip icmp type echo-request"
when listing the ruleset.

I mean:

-icmp type echo-request;ok
+icmp type echo-request;ok;ether type ip icmp type echo-request
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Florian Westphal Oct. 27, 2017, 12:46 p.m. UTC | #2

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> What I don't still is why patch 1/8 is expanding icmp type
> echo-request to show explicit "ether type ip icmp type echo-request"
> when listing the ruleset.
> 
> I mean:
> 
> -icmp type echo-request;ok
> +icmp type echo-request;ok;ether type ip icmp type echo-request

Correct, this is redundant, the 'ether type ip' could be removed
here.

But it would need more work to achive this, f.e. by
tracking not the last but all seen dependencies per-base and doing
the removal only after seeing all consecutive expression statements.

At the moment, when 'remove ether type ip' decision is made, we only
know that the next expression is 'meta l4proto'.

But that is not enough to know if the dependency is implicit or not.
Another soltution would be to pass the relational expression, and
then extract rhs too. That would allow to see the 'icmp' in
'meta l4proto icmp' (and then remove the dep because icmp implies ipv4).

However, as icmp is the only case where we can do the removal I think
its currently not super urgent to make these changes.

Does that explanation help?

I would re-word the commit message accordingly.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html