From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202412 header.b=L3/sAB0O; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 0F19D5A026F for ; Fri, 03 Jan 2025 06:07:12 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202412; t=1735880814; bh=6ATlbYxLRG6aMcpRWYvAmd0eAno3YzjMbTNGek0/j18=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=L3/sAB0O1UTIigbeFwbkTZOFgaafTJrdr8mQxgwoI9Tdpv2RdHMsxeogK/oS8SA0x 7OvSr4zd+qNIVxo7MbEF/c8ey59bwWIuRz8NVRKPt2i8cF+rvwxTVmq/NJmg2lypsi ifsNCJ4rCi1VWitAXe6AgOUHjdO/1km0q5t3j634gJdZh/1EW9+9K2VN4qPsTqcNvV HVKq2AdVLUFmLTKsEEKkUCAm8MQxmvtBnZa6zHLzhda0G4FDOhA9xdhL66DtOUoxkb eYbM4Hv3/y+B8a6xXCsouWHzu83iuqGi7UTzyIhoPrakCh00tMKFbICoUL/6CpIFss sw1QB8wBKitxg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4YPWlL5THTz4xfr; Fri, 3 Jan 2025 16:06:54 +1100 (AEDT) Date: Fri, 3 Jan 2025 15:48:47 +1100 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH v2 07/12] packet: Remove unhelpful packet_get_try() macro Message-ID: References: <20241220083535.1372523-1-david@gibson.dropbear.id.au> <20241220083535.1372523-8-david@gibson.dropbear.id.au> <20250101225437.3fc4f71b@elisabeth> <20250102230004.04825962@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="T1FJ+FX1X4Ykq8nz" Content-Disposition: inline In-Reply-To: <20250102230004.04825962@elisabeth> Message-ID-Hash: FTE5E4CYF6QOUANMKTS3U2E7FNULOP75 X-Message-ID-Hash: FTE5E4CYF6QOUANMKTS3U2E7FNULOP75 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --T1FJ+FX1X4Ykq8nz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 02, 2025 at 11:00:04PM +0100, Stefano Brivio wrote: > On Thu, 2 Jan 2025 13:15:40 +1100 > David Gibson wrote: >=20 > > On Wed, Jan 01, 2025 at 10:54:37PM +0100, Stefano Brivio wrote: > > > On Fri, 20 Dec 2024 19:35:30 +1100 > > > David Gibson wrote: > > > =20 > > > > Two places in the code use the packet_get_try() variant on packet_g= et(). > > > > The difference is that packet_get_try() passes a NULL 'func' to > > > > packet_get_do(), which suppresses log messages. The places we use = this > > > > are ones where we expect to sometimes have a failure retreiving the= packet > > > > range, even in normal cases. So, suppressing the log messages seem= s like > > > > it makes sense, except: > > > >=20 > > > > 1) It suppresses log messages on all errors. We (somewhat) expect = to hit > > > > the case where the requested range is not within the received pa= cket. > > > > However, it also suppresses message in cases where the requested= packet > > > > index doesn't exist, the requested range has a nonsensical lengt= h or > > > > doesn't lie in even the right vague part of memory. None of tho= se > > > > latter cases are expected, and the message would be helpful if w= e ever > > > > actually hit them. > > > >=20 > > > > 2) The suppressed messages aren't actually that disruptive. For th= e case > > > > in ip.c, we'd log only if we run out of IPv6 packet before reach= ing a > > > > (non-option) L4 header. That shouldn't be the case in normal op= eration > > > > so getting a message (at trave level) is not unreasonable. > > > > For the case in dhcpv6.c we do suppress a message every time we = look for > > > > but don't find a specific DHCPv6 option. That can happen in per= fectly > > > > ok cases, but, again these are trace() level and DHCPv6 transact= ions > > > > aren't that common. Suppressing the message for this case doesn= 't > > > > seem worth the drawbacks of (1). =20 > > >=20 > > > The reason why I implemented packet_get_try() is that the messages fr= om > > > packet_get_do() indicate serious issues, and if I'm debugging somethi= ng > > > by looking at traces it's not great to have messages indicating that = we > > > hit a serious issue while we're simply validating identity associatio= ns. =20 > >=20 > > I'm not following your argument here. It's exactly because (most of) > > the message indicate serious issues that I don't want to suppress > > them. I don't know what you mean by "validating identity > > associations". >=20 > But dhcpv6_opt() trying to get data that doesn't exist is *not* an > issue, including not a serious one, so if I'm debugging something with > --trace and I see one of these messages I'll shout at "memory" or > "packet" badness and waste time thinking it's an actual issue. Oh.. I think I see the confusion. dhcpv6_opt() trying to get data that's not in the packet is not an issue. dhcpv6_opt() trying to get data that is (theoretically) within the packet, but *not* in the buffer indicates something very bad has happened. The former is exactly one check, every other one is the second class - trying to separate those cases is the purpose of the later "different severities" patch. The difficulty is that passing func=3D=3DNULL to indicate the "try" case doesn't work if we want to still give useful errors for the serious cases: we need the function name for those too. I had been considering printing occasional trace level messages for the ok case an acceptable tradeoff for not suppressing the messages which are serious. But I see your case or that being too confusing when debugging. I did have a draft where I used an explicit boolean flag to enable/disable the non-serious errors, but gave up on it for simplicity. I'll look into a way to continue suppressing the non-serious error here. Maybe moving the (single) non-serious error case message into the caller with a wrapper. > Validating identity associations (IA_NA, IA_TA, RFC 3315) is what > dhcpv6_ia_notonlink() does. That's the most common case where we'll > routinely call dhcpv6_opt() to fetch data which isn't there. Ok. > > > It's not about the amount of logged messages, it's about the type of > > > message being logged and the distracting noise possibly resulting in a > > > substantial time waste. > > >=20 > > > About 1): dhcpv6_opt() always picks pool index 0, and the base offset > > > was already checked by the caller. =20 > >=20 > > Right, but dhcpv6_opt() is called in a loop, that only stops when it > > returns NULL. So, by construction the last call to dhcpv6_opt(), > > which terminates the loop, _will_ have a failing call to packet_get(). > > At this point - at least assuming a correctly constructed packet - the > > offset will point to just past the last option, which should be > > exactly at the end of the packet. >=20 > Yes, I get that, and: >=20 > - I would be happy if that one were *not* reported as failure Right, that's also my preference, but as above I compromised on this to simplify preserving the error cases that do matter. > - the calls before that one should always be enough to check if we have > an actual issue with the packet Yes, in this case I think that's correct. > > > In ipv6_l4hdr(), the index was > > > already validated by a previous call to packet_get(), and the starting > > > offset as well. =20 > >=20 > > Not AFAICT, the initial packet_get just validates the basic IPv6 > > header. The calls to packet_get_try() in the loop validate additional > > IP options. I don't think it will ever fail on a well-constructed > > packet, but it could on a bogus (or truncated) packet, where the > > nexthdr field indicates an option that's actually missing. > >=20 > > This is kind of my point: it will only trip on a badly constructed > > packet, in which case I don't think we want to suppress messages. >=20 > There, I used packet_get_try() because a missing option or payload > doesn't indicate a bad packet at the _data_ level. Not really sure what you mean by the data level, here. > On the other hand, it's bad at the network level anyway, because option > 59 *must* be there otherwise (I just realised), so while I'd still > prefer another wording of the warning (not mentioning packet/buffer > ranges... something more network-y), I would be fine with it. That sounds like another argument for moving the message for the "requested range is outside packet" case into the caller. --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --T1FJ+FX1X4Ykq8nz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmd3bCEACgkQzQJF27ox 2Gf56RAArTXnNTHlTvVHCiuXizE3JkrHsBSxFx8iv/v0tV1thX57m2bwObXgSarJ e+p8BPAQDx+8rMe0s5Ebn1lkvSs4/BWeCGjmqhQAAj/xi0BxqULgoNUdbmOCo6le 2ONJZRYy1u557J5aY6PoDyLug/1TsKHK/KjrlD2E+6jGstGpBiNFVucIbvdKO46J qR8l2tevIax+dMrNFJWm8NWyU0QQk5MsRFgF5Bnz8yBlnBJJDuyUTpADzEUU3iMA /IvFahFcKYqLwI/wAAnoYg0Su2Gx//0u4/TmqSxYHVkK0CbXk//kLq+sVjORL/vq UwSpu53uoBjHSpcxcx8aIY6LA2enHCowNz5riZQTByjZxZLs9Uej/hlVY71zOSFp iwpRhYbAWchDZ3c9njAvqrHK8FEOmZnjDMJbDlHonb4Dq2IIelRqOrfvsR1r3Vij +1FtaRzI47BFsv9nxsgkVigHuF81HV4Bp0kzFX2qM9evj1bx3+2H5t5+n5u70FEh XFPfWwFrIEPGpP1X7R1eE6yiUf5K8ENxKz6gh1aTRHdRBHch9R/hPZiVeyAa6DWX cFsUUOe8BXehTOFvQnohJHhlkneKRNZyWZWb8lyfBaCz8192d1a4KH0DOEDx2bXM b8I/BVVjAoT6qebzUi37XVKJLei1yX9SKktG6yrYFow/IAVqDh8= =UM46 -----END PGP SIGNATURE----- --T1FJ+FX1X4Ykq8nz--