[net,v2,0/3] net/sched: act_ipt bug fixes

Message ID	20230608140246.15190-1-fw@strlen.de (mailing list archive)
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 59B66947B for <netdev@vger.kernel.org>; Thu, 8 Jun 2023 14:03:13 +0000 (UTC) From: Florian Westphal <fw@strlen.de> To: <netdev@vger.kernel.org> Cc: kuba@kernel.org, edumazet@google.com, davem@davemloft.net, pabeni@redhat.com, jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, Florian Westphal <fw@strlen.de> Subject: [PATCH net v2 0/3] net/sched: act_ipt bug fixes Date: Thu, 8 Jun 2023 16:02:43 +0200 Message-Id: <20230608140246.15190-1-fw@strlen.de> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	net/sched: act_ipt bug fixes \| expand [net,v2,0/3] net/sched: act_ipt bug fixes [net,v2,1/3] net/sched: act_ipt: add sanity checks on table name and hook locations [net,v2,2/3] net/sched: act_ipt: add sanity checks on skb before calling target [net,v2,3/3] net/sched: act_ipt: zero skb->cb before calling target

Message ID

20230608140246.15190-1-fw@strlen.de (mailing list archive)

Headers

From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: kuba@kernel.org,
	edumazet@google.com,
	davem@davemloft.net,
	pabeni@redhat.com,
	jhs@mojatatu.com,
	xiyou.wangcong@gmail.com,
	jiri@resnulli.us,
	Florian Westphal <fw@strlen.de>
Subject: [PATCH net v2 0/3] net/sched: act_ipt bug fixes
Date: Thu,  8 Jun 2023 16:02:43 +0200
Message-Id: <20230608140246.15190-1-fw@strlen.de>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

net/sched: act_ipt bug fixes | expand

Message

Florian Westphal June 8, 2023, 2:02 p.m. UTC

v2: add "Fixes" tags, no other changes, so retaining Simons RvB tag.

While checking if netfilter could be updated to replace selected
instances of NF_DROP with kfree_skb_reason+NF_STOLEN to improve
debugging info via drop monitor I found that act_ipt is incompatible
with such an approach.  Moreover, it lacks multiple sanity checks
to avoid certain code paths that make assumptions that the tc layer
doesn't meet, such as header sanity checks, availability of skb_dst
skb_nfct() and so on.

act_ipt test in the tc selftest still pass with this applied.

I think that we should consider removal of this module, while
this should take care of all problems, its ipv4 only and I don't
think there are any netfilter targets that lack a native tc
equivalent, even when ignoring bpf.

Florian Westphal (3):
  net/sched: act_ipt: add sanity checks on table name and hook locations
  net/sched: act_ipt: add sanity checks on skb before calling target
  net/sched: act_ipt: zero skb->cb before calling target

 net/sched/act_ipt.c | 70 ++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 63 insertions(+), 7 deletions(-)

Comments

Jamal Hadi Salim June 8, 2023, 4:50 p.m. UTC | #1

On Thu, Jun 8, 2023 at 10:03 AM Florian Westphal <fw@strlen.de> wrote:
>
> v2: add "Fixes" tags, no other changes, so retaining Simons RvB tag.
>
> While checking if netfilter could be updated to replace selected
> instances of NF_DROP with kfree_skb_reason+NF_STOLEN to improve
> debugging info via drop monitor I found that act_ipt is incompatible
> with such an approach.  Moreover, it lacks multiple sanity checks
> to avoid certain code paths that make assumptions that the tc layer
> doesn't meet, such as header sanity checks, availability of skb_dst
> skb_nfct() and so on.
>
> act_ipt test in the tc selftest still pass with this applied.
>
> I think that we should consider removal of this module, while
> this should take care of all problems, its ipv4 only and I don't
> think there are any netfilter targets that lack a native tc
> equivalent, even when ignoring bpf.
>

I am all for removing it - but i am worried there are users based on
past interactions. Will try to ping some users and see if they
actually were using it. I will send a patch to retire it if it looks
safe.
Unfortunately ipt suffered because we couldnt coordinate between the
netfilter and tc subsystem. In the old days so calling/callee bugs
fixed in the netfilter world find their way into ipt. At some point
that stopped. Also the user space interfacing suffered from similar
issues.

cheers,
jamal

> Florian Westphal (3):
>   net/sched: act_ipt: add sanity checks on table name and hook locations
>   net/sched: act_ipt: add sanity checks on skb before calling target
>   net/sched: act_ipt: zero skb->cb before calling target
>
>  net/sched/act_ipt.c | 70 ++++++++++++++++++++++++++++++++++++++++-----
>  1 file changed, 63 insertions(+), 7 deletions(-)
>
> --
> 2.40.1
>

Florian Westphal June 8, 2023, 6:36 p.m. UTC | #2

Jamal Hadi Salim <jhs@mojatatu.com> wrote:
> On Thu, Jun 8, 2023 at 10:03 AM Florian Westphal <fw@strlen.de> wrote:
> > I think that we should consider removal of this module, while
> > this should take care of all problems, its ipv4 only and I don't
> > think there are any netfilter targets that lack a native tc
> > equivalent, even when ignoring bpf.
> >
> 
> I am all for removing it - but i am worried there are users based on
> past interactions. Will try to ping some users and see if they
> actually were using it.

Thanks Jamal.  I'd also be interested in what xt module(s) are used,
if any.

> I will send a patch to retire it if it looks
> safe.

Thanks.