Re: [PATCH v2 1/1] netfilter: load nf_log_syslog on enabling nf_conntrack_log_invalid

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 24 Jul 2025 14:24:22 +0200

Hi,

On Mon, May 26, 2025 at 04:59:02PM +0800, Lance Yang wrote:
> diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
> index 2f666751c7e7..cdc27424f84a 100644
> --- a/net/netfilter/nf_conntrack_standalone.c
> +++ b/net/netfilter/nf_conntrack_standalone.c
> @@ -14,6 +14,7 @@
>  #include <linux/sysctl.h>
>  #endif
>  
> +#include <net/netfilter/nf_log.h>
>  #include <net/netfilter/nf_conntrack.h>
>  #include <net/netfilter/nf_conntrack_core.h>
>  #include <net/netfilter/nf_conntrack_l4proto.h>
> @@ -543,6 +544,29 @@ nf_conntrack_hash_sysctl(const struct ctl_table *table, int write,
>  	return ret;
>  }
>  
> +static int
> +nf_conntrack_log_invalid_sysctl(const struct ctl_table *table, int write,
> +				void *buffer, size_t *lenp, loff_t *ppos)
> +{
> +	int ret, i;
> +
> +	ret = proc_dou8vec_minmax(table, write, buffer, lenp, ppos);
> +	if (ret < 0 || !write)
> +		return ret;
> +
> +	if (*(u8 *)table->data == 0)
> +		return ret;

What is this table->data check for? I don't find any similar idiom
like this in the existing proc_dou8vec_minmax() callers.

> +
> +	/* Load nf_log_syslog only if no logger is currently registered */
> +	for (i = 0; i < NFPROTO_NUMPROTO; i++) {
> +		if (nf_log_is_registered(i))
> +			return ret;
> +	}
> +	request_module("%s", "nf_log_syslog");
> +
> +	return ret;
> +}
> +
>  static struct ctl_table_header *nf_ct_netfilter_header;
>  
>  enum nf_ct_sysctl_index {
> @@ -649,7 +673,7 @@ static struct ctl_table nf_ct_sysctl_table[] = {
>  		.data		= &init_net.ct.sysctl_log_invalid,
>  		.maxlen		= sizeof(u8),
>  		.mode		= 0644,
> -		.proc_handler	= proc_dou8vec_minmax,
> +		.proc_handler	= nf_conntrack_log_invalid_sysctl,
>  	},
>  	[NF_SYSCTL_CT_EXPECT_MAX] = {
>  		.procname	= "nf_conntrack_expect_max",
> diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
> index 6dd0de33eebd..c7dd5019a89d 100644
> --- a/net/netfilter/nf_log.c
> +++ b/net/netfilter/nf_log.c
> @@ -125,6 +125,33 @@ void nf_log_unregister(struct nf_logger *logger)
>  }
>  EXPORT_SYMBOL(nf_log_unregister);
>  
> +/**
> + * nf_log_is_registered - Check if any logger is registered for a given
> + * protocol family.
> + *
> + * @pf: Protocol family
> + *
> + * Returns: true if at least one logger is active for @pf, false otherwise.
> + */
> +bool nf_log_is_registered(u_int8_t pf)
> +{
> +	int i;
> +
> +	/* Out of bounds. */

No need for this comment, please remove it.

> +	if (pf >= NFPROTO_NUMPROTO) {
> +		WARN_ON_ONCE(1);
> +		return false;
> +	}