[nf-next,1/7] netfilter: nft_tunnel: parse ERSPAN_VERSION attr as u8
diff mbox series

Message ID 981718e8e2ca5cd34d1153f54eae06ab2f087c07.1575779993.git.lucien.xin@gmail.com
State Changes Requested
Delegated to: Pablo Neira
Headers show
Series
  • netfilter: nft_tunnel: reinforce key opts support
Related show

Commit Message

Xin Long Dec. 8, 2019, 4:41 a.m. UTC
To keep consistent with ipgre_policy, it's better to parse
ERSPAN_VERSION attr as u8, as it does in act_tunnel_key,
cls_flower and ip_tunnel_core.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/netfilter/nft_tunnel.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Simon Horman Dec. 9, 2019, 8:03 p.m. UTC | #1
Hi Xin,

On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote:
> To keep consistent with ipgre_policy, it's better to parse
> ERSPAN_VERSION attr as u8, as it does in act_tunnel_key,
> cls_flower and ip_tunnel_core.
> 
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
>  net/netfilter/nft_tunnel.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> index 3d4c2ae..f76cd7d 100644
> --- a/net/netfilter/nft_tunnel.c
> +++ b/net/netfilter/nft_tunnel.c
> @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr,
>  }
>  
>  static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = {
> +	[NFTA_TUNNEL_KEY_ERSPAN_VERSION]	= { .type = NLA_U8 },
>  	[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]	= { .type = NLA_U32 },
> -	[NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]	= { .type = NLA_U8 },
> +	[NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]		= { .type = NLA_U8 },
>  	[NFTA_TUNNEL_KEY_ERSPAN_V2_HWID]	= { .type = NLA_U8 },
>  };
>  
> @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
>  	if (err < 0)
>  		return err;
>  
> -	version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
> +	version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]);

I have concerns about this change and backwards-compatibility with existing
users of this UAPI. Likewise, with other changes to the encoding of existing
attributes elsewhere in this series.

>  	switch (version) {
>  	case ERSPAN_VERSION:
>  		if (!tb[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX])
> -- 
> 2.1.0
>
Xin Long Dec. 10, 2019, 4:05 a.m. UTC | #2
On Tue, Dec 10, 2019 at 4:03 AM Simon Horman <simon.horman@netronome.com> wrote:
>
> Hi Xin,
>
> On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote:
> > To keep consistent with ipgre_policy, it's better to parse
> > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key,
> > cls_flower and ip_tunnel_core.
> >
> > Signed-off-by: Xin Long <lucien.xin@gmail.com>
> > ---
> >  net/netfilter/nft_tunnel.c | 5 +++--
> >  1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> > index 3d4c2ae..f76cd7d 100644
> > --- a/net/netfilter/nft_tunnel.c
> > +++ b/net/netfilter/nft_tunnel.c
> > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr,
> >  }
> >
> >  static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = {
> > +     [NFTA_TUNNEL_KEY_ERSPAN_VERSION]        = { .type = NLA_U8 },
> >       [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]       = { .type = NLA_U32 },
> > -     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 },
> > +     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]         = { .type = NLA_U8 },
> >       [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID]        = { .type = NLA_U8 },
> >  };
> >
> > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
> >       if (err < 0)
> >               return err;
> >
> > -     version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
> > +     version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]);
>
> I have concerns about this change and backwards-compatibility with existing
> users of this UAPI. Likewise, with other changes to the encoding of existing
> attributes elsewhere in this series.
userspace(nftables/libnftnl) is not ready for nft_tunnel, I don't
think there will be
any backwards-compatibility issue.

Pablo?

>
> >       switch (version) {
> >       case ERSPAN_VERSION:
> >               if (!tb[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX])
> > --
> > 2.1.0
> >
Pablo Neira Ayuso Dec. 11, 2019, 9:51 p.m. UTC | #3
Hi,

On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote:
> To keep consistent with ipgre_policy, it's better to parse
> ERSPAN_VERSION attr as u8, as it does in act_tunnel_key,
> cls_flower and ip_tunnel_core.
> 
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
>  net/netfilter/nft_tunnel.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> index 3d4c2ae..f76cd7d 100644
> --- a/net/netfilter/nft_tunnel.c
> +++ b/net/netfilter/nft_tunnel.c
> @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr,
>  }
>  
>  static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = {
> +	[NFTA_TUNNEL_KEY_ERSPAN_VERSION]	= { .type = NLA_U8 },
>  	[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]	= { .type = NLA_U32 },
> -	[NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]	= { .type = NLA_U8 },
> +	[NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]		= { .type = NLA_U8 },
>  	[NFTA_TUNNEL_KEY_ERSPAN_V2_HWID]	= { .type = NLA_U8 },
>  };
>  
> @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
>  	if (err < 0)
>  		return err;
>  
> -	version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
> +	version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]);

I think NFTA_TUNNEL_KEY_ERSPAN_VERSION as 32-bit is just fine.

Netlink will be adding the padding anyway for u8.

I would suggest you leave this as is.

Thanks.
Xin Long Dec. 12, 2019, 3:20 a.m. UTC | #4
On Thu, Dec 12, 2019 at 5:51 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> Hi,
>
> On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote:
> > To keep consistent with ipgre_policy, it's better to parse
> > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key,
> > cls_flower and ip_tunnel_core.
> >
> > Signed-off-by: Xin Long <lucien.xin@gmail.com>
> > ---
> >  net/netfilter/nft_tunnel.c | 5 +++--
> >  1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> > index 3d4c2ae..f76cd7d 100644
> > --- a/net/netfilter/nft_tunnel.c
> > +++ b/net/netfilter/nft_tunnel.c
> > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr,
> >  }
> >
> >  static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = {
> > +     [NFTA_TUNNEL_KEY_ERSPAN_VERSION]        = { .type = NLA_U8 },
> >       [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]       = { .type = NLA_U32 },
> > -     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 },
> > +     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]         = { .type = NLA_U8 },
> >       [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID]        = { .type = NLA_U8 },
> >  };
> >
> > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
> >       if (err < 0)
> >               return err;
> >
> > -     version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
> > +     version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]);
>
> I think NFTA_TUNNEL_KEY_ERSPAN_VERSION as 32-bit is just fine.
>
> Netlink will be adding the padding anyway for u8.
>
> I would suggest you leave this as is.
okay.

do you think I should prepare another patch/fix for the missing nla_policy part?
[NFTA_TUNNEL_KEY_ERSPAN_VERSION]        = { .type = NLA_U32 },

Thanks.
Pablo Neira Ayuso Dec. 12, 2019, 12:33 p.m. UTC | #5
On Thu, Dec 12, 2019 at 11:20:19AM +0800, Xin Long wrote:
> On Thu, Dec 12, 2019 at 5:51 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > Hi,
> >
> > On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote:
> > > To keep consistent with ipgre_policy, it's better to parse
> > > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key,
> > > cls_flower and ip_tunnel_core.
> > >
> > > Signed-off-by: Xin Long <lucien.xin@gmail.com>
> > > ---
> > >  net/netfilter/nft_tunnel.c | 5 +++--
> > >  1 file changed, 3 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> > > index 3d4c2ae..f76cd7d 100644
> > > --- a/net/netfilter/nft_tunnel.c
> > > +++ b/net/netfilter/nft_tunnel.c
> > > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr,
> > >  }
> > >
> > >  static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = {
> > > +     [NFTA_TUNNEL_KEY_ERSPAN_VERSION]        = { .type = NLA_U8 },
> > >       [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]       = { .type = NLA_U32 },
> > > -     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 },
> > > +     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]         = { .type = NLA_U8 },
> > >       [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID]        = { .type = NLA_U8 },
> > >  };
> > >
> > > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
> > >       if (err < 0)
> > >               return err;
> > >
> > > -     version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
> > > +     version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]);
> >
> > I think NFTA_TUNNEL_KEY_ERSPAN_VERSION as 32-bit is just fine.
> >
> > Netlink will be adding the padding anyway for u8.
> >
> > I would suggest you leave this as is.
> okay.
> 
> do you think I should prepare another patch/fix for the missing nla_policy part?
> [NFTA_TUNNEL_KEY_ERSPAN_VERSION]        = { .type = NLA_U32 },

Yes, please, thanks.
Simon Horman Dec. 13, 2019, 9:30 a.m. UTC | #6
On Tue, Dec 10, 2019 at 12:05:15PM +0800, Xin Long wrote:
> On Tue, Dec 10, 2019 at 4:03 AM Simon Horman <simon.horman@netronome.com> wrote:
> >
> > Hi Xin,
> >
> > On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote:
> > > To keep consistent with ipgre_policy, it's better to parse
> > > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key,
> > > cls_flower and ip_tunnel_core.
> > >
> > > Signed-off-by: Xin Long <lucien.xin@gmail.com>
> > > ---
> > >  net/netfilter/nft_tunnel.c | 5 +++--
> > >  1 file changed, 3 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> > > index 3d4c2ae..f76cd7d 100644
> > > --- a/net/netfilter/nft_tunnel.c
> > > +++ b/net/netfilter/nft_tunnel.c
> > > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr,
> > >  }
> > >
> > >  static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = {
> > > +     [NFTA_TUNNEL_KEY_ERSPAN_VERSION]        = { .type = NLA_U8 },
> > >       [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]       = { .type = NLA_U32 },
> > > -     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 },
> > > +     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]         = { .type = NLA_U8 },
> > >       [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID]        = { .type = NLA_U8 },
> > >  };
> > >
> > > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
> > >       if (err < 0)
> > >               return err;
> > >
> > > -     version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
> > > +     version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]);
> >
> > I have concerns about this change and backwards-compatibility with existing
> > users of this UAPI. Likewise, with other changes to the encoding of existing
> > attributes elsewhere in this series.
> userspace(nftables/libnftnl) is not ready for nft_tunnel, I don't
> think there will be
> any backwards-compatibility issue.
> 
> Pablo?

Thanks, I'm happy to defer to Pablo on this question.

> 
> >
> > >       switch (version) {
> > >       case ERSPAN_VERSION:
> > >               if (!tb[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX])
> > > --
> > > 2.1.0
> > >
Pablo Neira Ayuso Dec. 17, 2019, 9:39 p.m. UTC | #7
Hi Simon,

On Fri, Dec 13, 2019 at 10:30:26AM +0100, Simon Horman wrote:
> On Tue, Dec 10, 2019 at 12:05:15PM +0800, Xin Long wrote:
> > On Tue, Dec 10, 2019 at 4:03 AM Simon Horman <simon.horman@netronome.com> wrote:
> > >
> > > Hi Xin,
> > >
> > > On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote:
> > > > To keep consistent with ipgre_policy, it's better to parse
> > > > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key,
> > > > cls_flower and ip_tunnel_core.
> > > >
> > > > Signed-off-by: Xin Long <lucien.xin@gmail.com>
> > > > ---
> > > >  net/netfilter/nft_tunnel.c | 5 +++--
> > > >  1 file changed, 3 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> > > > index 3d4c2ae..f76cd7d 100644
> > > > --- a/net/netfilter/nft_tunnel.c
> > > > +++ b/net/netfilter/nft_tunnel.c
> > > > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr,
> > > >  }
> > > >
> > > >  static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = {
> > > > +     [NFTA_TUNNEL_KEY_ERSPAN_VERSION]        = { .type = NLA_U8 },
> > > >       [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]       = { .type = NLA_U32 },
> > > > -     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 },
> > > > +     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]         = { .type = NLA_U8 },
> > > >       [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID]        = { .type = NLA_U8 },
> > > >  };
> > > >
> > > > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
> > > >       if (err < 0)
> > > >               return err;
> > > >
> > > > -     version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
> > > > +     version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]);
> > >
> > > I have concerns about this change and backwards-compatibility with existing
> > > users of this UAPI. Likewise, with other changes to the encoding of existing
> > > attributes elsewhere in this series.
> >
> > userspace(nftables/libnftnl) is not ready for nft_tunnel, I don't
> > think there will be any backwards-compatibility issue.
> > 
> > Pablo?
> 
> Thanks, I'm happy to defer to Pablo on this question.

I agree with Xin. This uapi is not in good shape and there is no
upstream userspace code for this, no nftables support for this yet.
In this particular case I'm inclined to fix uapi, better sooner than
never.

Thanks.

Patch
diff mbox series

diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 3d4c2ae..f76cd7d 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -248,8 +248,9 @@  static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr,
 }
 
 static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = {
+	[NFTA_TUNNEL_KEY_ERSPAN_VERSION]	= { .type = NLA_U8 },
 	[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]	= { .type = NLA_U32 },
-	[NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]	= { .type = NLA_U8 },
+	[NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]		= { .type = NLA_U8 },
 	[NFTA_TUNNEL_KEY_ERSPAN_V2_HWID]	= { .type = NLA_U8 },
 };
 
@@ -266,7 +267,7 @@  static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
 	if (err < 0)
 		return err;
 
-	version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
+	version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]);
 	switch (version) {
 	case ERSPAN_VERSION:
 		if (!tb[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX])