From patchwork Tue Nov 19 22:03:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 2013382 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=jfm0LgXP; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.80.249; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-5270-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [147.75.80.249]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XtJRF5Yc9z1y0L for ; Wed, 20 Nov 2024 09:03:37 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 69E691F23459 for ; Tue, 19 Nov 2024 22:03:35 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 646C81D0F68; Tue, 19 Nov 2024 22:03:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="jfm0LgXP" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7755A14A60C for ; Tue, 19 Nov 2024 22:03:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732053806; cv=none; b=Vyo2pecV1S/CWHZVrdrv3C3tBj8EAFJ2IC/0KXIIgbDJjOMvdWFDex/Vf//61tAETnLUCvf0UVNOOOzCKrGYdcrF1JfVmdYClMlBU8suw1DjDxqKB2xmqfIeNgIMrKP/fS397EaoLWpDdy7/HPkcg6TQD+67/joPhM4h6dGi0kY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732053806; c=relaxed/simple; bh=2ct92UFg/wVPexg02V1ifijI3KIosnhAvOKg0tDfdiQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=iSv09hO6bIj16pAT/GEO8wZtcdfMqNiyxyhkblC+Vq0i984zzReO7U6owEvFZ/F/5/LTN6WbSZ56Nm0YBO037hZb9fWqmluGV1701Dmflku8WWzNCGLBFW3Lkum3sLY9hmV+0/rzKxBvR9Njp7ycVm18uzE/HuL5H/xXmsUFBeo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=jfm0LgXP; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject: Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=QUeFP6P/Piu9Oe7m6+GGzMe2cp1Vd+SBm2mOcRfjhYU=; b=jfm0LgXPBjVh1UECdJBDFlJ7ku pu4AEZw/3RY4OjozpdoVi+zTSN6tOvehYV3F4PXpGmQ1RjaBxoIXqtm9bnrMrJ2YKtrF4hqiUX9CV Ge/aNBT8H+vEU/MKri0tikkTYQKj8k24zqqcfTEmWjDTeBi55bY3BHPQuiX721RdsVJUPB1Fuoswu +0A9sOPe2NW5ORgyqyFYFuvJk4pz65wCMuP5Nd72bOFm0Q7L5roJ1PDoxYdFOz5vtWT6rEqehcbCb aSrMyg7c8KFbuYoLL55yC07kBlGkgywQmltEj1Rdc5J/ZurDA+roTOXsh/Z7wt6B0eULZD3pFxkbA TzA89exA==; Authentication-Results: mail.nwl.cc; iprev=pass (localhost) smtp.remote-ip=::1 Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1tDWJd-000000001Ds-3XuV; Tue, 19 Nov 2024 23:03:21 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Jeremy Sowden Subject: [iptables PATCH v2 1/2] nft: fix interface comparisons in `-C` commands Date: Tue, 19 Nov 2024 23:03:24 +0100 Message-ID: <20241119220325.30700-1-phil@nwl.cc> X-Mailer: git-send-email 2.47.0 Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Jeremy Sowden Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel") removed code which explicitly set interface masks to all ones. The result of this is that they are zero. However, they are used to mask interfaces in `is_same_interfaces`. Consequently, the masked values are alway zero, the comparisons are always true, and check commands which ought to fail succeed: # iptables -N test # iptables -A test -i lo \! -o lo -j REJECT # iptables -v -L test Chain test (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- lo !lo anywhere anywhere reject-with icmp-port-unreachable # iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT REJECT all opt -- in lo out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable Remove the mask parameters from `is_same_interfaces`. Add a test-case. Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel") Signed-off-by: Jeremy Sowden Signed-off-by: Phil Sutter --- Changes since v1: - Replace the loop by strncmp() calls. --- iptables/nft-arp.c | 10 ++---- iptables/nft-ipv4.c | 4 +-- iptables/nft-ipv6.c | 6 +--- iptables/nft-shared.c | 36 +++++-------------- iptables/nft-shared.h | 6 +--- .../nft-only/0020-compare-interfaces_0 | 9 +++++ 6 files changed, 22 insertions(+), 49 deletions(-) create mode 100755 iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 264864c3fb2b2..c11d64c368638 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -385,14 +385,8 @@ static bool nft_arp_is_same(const struct iptables_command_state *cs_a, return false; } - return is_same_interfaces(a->arp.iniface, - a->arp.outiface, - (unsigned char *)a->arp.iniface_mask, - (unsigned char *)a->arp.outiface_mask, - b->arp.iniface, - b->arp.outiface, - (unsigned char *)b->arp.iniface_mask, - (unsigned char *)b->arp.outiface_mask); + return is_same_interfaces(a->arp.iniface, a->arp.outiface, + b->arp.iniface, b->arp.outiface); } static void nft_arp_save_chain(const struct nftnl_chain *c, const char *policy) diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 740928757b7e2..0c8bd2911d105 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -113,9 +113,7 @@ static bool nft_ipv4_is_same(const struct iptables_command_state *a, } return is_same_interfaces(a->fw.ip.iniface, a->fw.ip.outiface, - a->fw.ip.iniface_mask, a->fw.ip.outiface_mask, - b->fw.ip.iniface, b->fw.ip.outiface, - b->fw.ip.iniface_mask, b->fw.ip.outiface_mask); + b->fw.ip.iniface, b->fw.ip.outiface); } static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs) diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index b184f8af3e6ed..4dbb2af206054 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -99,11 +99,7 @@ static bool nft_ipv6_is_same(const struct iptables_command_state *a, } return is_same_interfaces(a->fw6.ipv6.iniface, a->fw6.ipv6.outiface, - a->fw6.ipv6.iniface_mask, - a->fw6.ipv6.outiface_mask, - b->fw6.ipv6.iniface, b->fw6.ipv6.outiface, - b->fw6.ipv6.iniface_mask, - b->fw6.ipv6.outiface_mask); + b->fw6.ipv6.iniface, b->fw6.ipv6.outiface); } static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs) diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 6775578b1e36b..2c29e68f551df 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -220,36 +220,16 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, } bool is_same_interfaces(const char *a_iniface, const char *a_outiface, - unsigned const char *a_iniface_mask, - unsigned const char *a_outiface_mask, - const char *b_iniface, const char *b_outiface, - unsigned const char *b_iniface_mask, - unsigned const char *b_outiface_mask) + const char *b_iniface, const char *b_outiface) { - int i; - - for (i = 0; i < IFNAMSIZ; i++) { - if (a_iniface_mask[i] != b_iniface_mask[i]) { - DEBUGP("different iniface mask %x, %x (%d)\n", - a_iniface_mask[i] & 0xff, b_iniface_mask[i] & 0xff, i); - return false; - } - if ((a_iniface[i] & a_iniface_mask[i]) - != (b_iniface[i] & b_iniface_mask[i])) { - DEBUGP("different iniface\n"); - return false; - } - if (a_outiface_mask[i] != b_outiface_mask[i]) { - DEBUGP("different outiface mask\n"); - return false; - } - if ((a_outiface[i] & a_outiface_mask[i]) - != (b_outiface[i] & b_outiface_mask[i])) { - DEBUGP("different outiface\n"); - return false; - } + if (strncmp(a_iniface, b_iniface, IFNAMSIZ)) { + DEBUGP("different iniface\n"); + return false; + } + if (strncmp(a_outiface, b_outiface, IFNAMSIZ)) { + DEBUGP("different outiface\n"); + return false; } - return true; } diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index 51d1e4609a3b6..b57aee1f84a87 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -105,11 +105,7 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, uint8_t proto, uint void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv); bool is_same_interfaces(const char *a_iniface, const char *a_outiface, - unsigned const char *a_iniface_mask, - unsigned const char *a_outiface_mask, - const char *b_iniface, const char *b_outiface, - unsigned const char *b_iniface_mask, - unsigned const char *b_outiface_mask); + const char *b_iniface, const char *b_outiface); void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op); void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv); diff --git a/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 new file mode 100755 index 0000000000000..278cd648ebb78 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 @@ -0,0 +1,9 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +$XT_MULTI iptables -N test +$XT_MULTI iptables -A test -i lo \! -o lo -j REJECT +$XT_MULTI iptables -C test -i abcdefgh \! -o abcdefgh -j REJECT 2>/dev/null && exit 1 + +exit 0 From patchwork Tue Nov 19 22:03:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 2013381 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=kBX3tpNU; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-5269-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XtJRB0y44z1y0L for ; Wed, 20 Nov 2024 09:03:34 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id C4767B2325E for ; Tue, 19 Nov 2024 22:03:33 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2BB8E1C1741; Tue, 19 Nov 2024 22:03:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="kBX3tpNU" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 775B119AD8B for ; Tue, 19 Nov 2024 22:03:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732053806; cv=none; b=SYBHcKK2jysmbd5o4rAO6kwDpg+7GiQHgXXnVXYA3uk5NKd/8czKpAzP7Y+tRTgUQy8aWytxWccmirkOi/2ORr6NKCzUWuxWmHtyLL2/t6BaaV2RnJFREUIBn3sNdPEbjK+TJDE0DCvnJG7uGuaMZmLFHFBK7hgtQZoM//dPffE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732053806; c=relaxed/simple; bh=vg1749YQ7QkTG8vCSCjBi98oHh4KKGrNL2VaboKH+gc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ezLP5AXMTWyHRebT23YuiywI4F7lv8jIMRxEBWZdBvVBNvFXOYDOfaD1kSPE6Iyl5OlPOSOalev4Mf6ntoJBi0QN4Y5jkJ3Wkc/tl/3RtcHxPTvnhBXW2Lm4PrvprQiIj4cZAIXoUizVjnK8b7M1mgka8JsVh8KY/mfSQNapwuY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=kBX3tpNU; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=RsdrOOTgM9to9je0u0KAQP/KokmjMV1gONkbJTegMoM=; b=kBX3tpNUOJ8tQUGMjbZtdgynAu QcielGtPF7vJG6iM3+215JOc14f8bYkYcX3h+K9R0Q5/s/wrgZ+mY9ROqNycSwor/pBygQqzEGg+A bkB6n5Pm4GXlHPRqkSkEcwJE8nE675WG23vu4QAK3aUhH2Av2sZv0DI6dV+wuBkDwuEImi5rwVYyZ OtnGhw//6XyjI/KSEgDIE5SUhtMf7alnk9epZJuD6ebJI4mfg4iVQS493jJG6KD5SKRtr0b/QQ2Ip v+C+FnrqGD5xSAvv1NveQiDdmgdXHaubk6Kopc+UAG++A+ubk3Pm3pv+C9M7pTWkmG7tFtzsc7BI0 98gugk9w==; Authentication-Results: mail.nwl.cc; iprev=pass (localhost) smtp.remote-ip=::1 Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1tDWJd-000000001Dl-16k3; Tue, 19 Nov 2024 23:03:21 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Jeremy Sowden Subject: [iptables PATCH v2 2/2] nft: Drop interface mask leftovers from post_parse callbacks Date: Tue, 19 Nov 2024 23:03:25 +0100 Message-ID: <20241119220325.30700-2-phil@nwl.cc> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241119220325.30700-1-phil@nwl.cc> References: <20241119220325.30700-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Fixed commit only adjusted the IPv4-specific callback for unclear reasons. Fixes: fe70364b36119 ("xshared: Do not populate interface masks per default") Cc: Jeremy Sowden Signed-off-by: Phil Sutter Reviewed-by: Jeremy Sowden --- Changes since v1: - New patch --- iptables/nft-arp.c | 3 --- iptables/xshared.c | 5 ----- iptables/xshared.h | 1 - 3 files changed, 9 deletions(-) diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index c11d64c368638..fa2dd558b1f89 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -459,10 +459,7 @@ static void nft_arp_post_parse(int command, cs->arp.arp.invflags = args->invflags; memcpy(cs->arp.arp.iniface, args->iniface, IFNAMSIZ); - memcpy(cs->arp.arp.iniface_mask, args->iniface_mask, IFNAMSIZ); - memcpy(cs->arp.arp.outiface, args->outiface, IFNAMSIZ); - memcpy(cs->arp.arp.outiface_mask, args->outiface_mask, IFNAMSIZ); cs->arp.counters.pcnt = args->pcnt_cnt; cs->arp.counters.bcnt = args->bcnt_cnt; diff --git a/iptables/xshared.c b/iptables/xshared.c index 2a5eef09c75de..2f663f9762016 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -2104,12 +2104,7 @@ void ipv6_post_parse(int command, struct iptables_command_state *cs, cs->fw6.ipv6.invflags = args->invflags; memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ); - memcpy(cs->fw6.ipv6.iniface_mask, - args->iniface_mask, IFNAMSIZ*sizeof(unsigned char)); - memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ); - memcpy(cs->fw6.ipv6.outiface_mask, - args->outiface_mask, IFNAMSIZ*sizeof(unsigned char)); if (args->goto_set) cs->fw6.ipv6.flags |= IP6T_F_GOTO; diff --git a/iptables/xshared.h b/iptables/xshared.h index a111e79793b54..af756738e7c44 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -262,7 +262,6 @@ struct xtables_args { uint8_t flags; uint16_t invflags; char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; - unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; char bri_iniface[IFNAMSIZ], bri_outiface[IFNAMSIZ]; bool goto_set; const char *shostnetworkmask, *dhostnetworkmask;