[nf] netfilter: nf_tables_api: set min dump size to 8k

Message ID 20180507152359.25950-1-fw@strlen.de
State RFC
Delegated to: Pablo Neira
Headers show
  • [nf] netfilter: nf_tables_api: set min dump size to 8k
Related show

Commit Message

Florian Westphal May 7, 2018, 3:23 p.m.
Under rare conditions its possible that nfnetlink dump of nft
ruleset will not return any result.

Problem occurs when netlink_dump() is invoked for first time,
in response to incoming dump request.

In that case, netlink socket hasn't recored the size of the userspace
buffer yet, as userspace did not yet call recv() yet, so NLMSG_GOODSIZE
sized skb is allocated.

In extreme case, the first rule to be added is larger than this,
which ends the dump (callback returns 0, as skb has no data).

The problem won't occur in case a smaller expression was added first,
because then dump returns skb with data, which gets placed on sockets
receive queue.  Next recv() from user allocates skb based on the size
of the user buffer, e.g. 16k.

I don't like this change at all but i could not find another solution.

Signed-off-by: Florian Westphal <fw@strlen.de>
 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)


diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a2bb31472aa1..975af75e232e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2103,6 +2103,7 @@  static int nf_tables_getrule(struct net *net, struct sock *nlsk,
 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
 		struct netlink_dump_control c = {
+			.min_dump_alloc = SKB_WITH_OVERHEAD(8192),
 			.dump = nf_tables_dump_rules,
 			.done = nf_tables_dump_rules_done,