From: "David S. Miller" <davem@redhat.com>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH 2.6 0/12]: netfilter update
Date: Fri, 24 Sep 2004 15:40:32 -0700 [thread overview]
Message-ID: <20040924154032.5a0c32e1.davem@redhat.com> (raw)
In-Reply-To: <4150D880.70108@trash.net>
On Wed, 22 Sep 2004 03:42:24 +0200
Patrick McHardy <kaber@trash.net> wrote:
> The existing scheme has one problem, it takes files->file_lock
> in a BH, but the patch doesn't mean to fix this. Besides
> this, it works fine. The patch extends the owner match so it
> can also be used in the input path, where skb->sk isn't set.
> This is quite useful for filtering input traffic based on user
> etc., unfortunately it can't be done without exporting
> {tcp,udp}_v4_lookup. Do you see an alternative to dropping the
> patch ?
I think the scheme is a bit illogical.
Until the actual TCP socket lookup call, you cannot say for sure
what that lookup would result in.
For example, let's say that between where the ipt_owner match
is invoked on input, and the actual call to tcp_v4_rcv(), some
filtering or other packet mangling scheme changes the IP address
or ports. You're going to get different results in ipt_owner()
than TCP was going to achieve.
It sounds like we want some kind of socket resolution policy check.
It's starting to get rediculious, as we have two filters _already_
in that code path, one for the per-socket BPF style filtering, and
the other for IPSEC.
The IPSEC check is available on output too.
I don't see how it's avoidable to add another condition there.
So what if we had something like:
NF_SK_HOOK(PF_INET, NF_TCP_IN, sk, skb, skb->dev, NULL,
tcp_v4_rcv_finish)
or something along those lines? Perhaps you can simplify the
argument set even further.
next prev parent reply other threads:[~2004-09-24 22:40 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-21 3:20 [PATCH 2.6 0/12]: netfilter update Patrick McHardy
2004-09-21 21:36 ` David S. Miller
2004-09-21 23:38 ` Patrick McHardy
2004-09-22 0:18 ` David S. Miller
2004-09-22 1:42 ` Patrick McHardy
2004-09-24 22:40 ` David S. Miller [this message]
2004-09-26 19:43 ` Patrick McHardy
2004-09-26 21:45 ` Henrik Nordstrom
2004-09-26 21:56 ` Patrick McHardy
2004-09-26 22:08 ` Henrik Nordstrom
2004-09-26 23:19 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040924154032.5a0c32e1.davem@redhat.com \
--to=davem@redhat.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.