Re: [PATCH 3/3] netfilter: ctnetlink: allow userspace to set labels

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>,
	netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH 3/3] netfilter: ctnetlink: allow userspace to set labels
Date: Fri, 30 Nov 2012 22:36:31 +0100	[thread overview]
Message-ID: <20121130213631.GE31969@breakpoint.cc> (raw)
In-Reply-To: <20121130183450.GA27138@1984>

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Nov 30, 2012 at 03:02:54PM +0100, Florian Westphal wrote:
[..]
> > Unfortunately, no -- the interface is too rudimentary.
> > Example: You want to set bis 0, 2, 6; but leave all other
> > bit that are set intact.
> > 
> > So you first need to make a dump to fetch the current labels set.
> > Then, you set bits 0, 2, 6 and send the new state to the kernel.
> > 
> > But between the dump and the set operation, a new bit might
> > have been set.  So even when using xchg it will be un-set again...
> 
> what about cmpxchg inside a loop? I think we can assume that the
> probability of interference while updating a word is low.

I'll try to give an example.

Userspace tool wants to set bit 0 on all labels, and remove all
others.  Except label 1<<31, which should be left alone.

With the proposed interface, you would do something like

dump_conntracks();

for_each_ct_object(..) {
	u32 word = get_ct_labels(ct);

	word &= 0x80000000; /* clear all but bit 31 */
	word |= 1;	    /* set bit 0 */
	send_change_to_kernel(ct); /* tell kernel */
}

No matter what xchg tricks you do in the kernel: if 1<<31 was set
after the dump completed, it will be un-set again via
send_change_to_kernel(), i.e. we clear bit 1<<31, even though we didn't
want to.  I don't see how this can be solved; kernel has no idea that
userspace doesn't wish to alter 1<<31.

We would have to add explicit support for setting/clearing single bits
to make this work, then userspace could say 'set bit 0'. 'clear bit 1',
etc.

HOWEVER, i've failed to come up with a plausible usage scenario where
such an interface would be useful/required. 8-}

So, I'd propose to leave things as they are, i.e. userspace commits
the entire connlabel bitvector. The ruleset would presumably
re-set required labels anyway on the next packet.

If someone can come up with a usage scenario where this
isn't sufficient, we could always add such a 'clear/set bit' command
later.

What do you think?

Cheers,
Florian

next prev parent reply	other threads:[~2012-11-30 21:36 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-15 15:55 [PATCH 0/3] netfilter: add connlabel conntrack extension Florian Westphal
2012-11-15 15:55 ` [PATCH 1/3] " Florian Westphal
2012-11-15 15:55 ` [PATCH 2/3] netfilter: ctnetlink: deliver labels to userspace via CTA_LABELS attribute Florian Westphal
2012-11-15 15:55 ` [PATCH 3/3] netfilter: ctnetlink: allow userspace to set labels Florian Westphal
2012-11-27 11:18   ` Pablo Neira Ayuso
2012-11-27 11:50     ` Florian Westphal
2012-11-27 12:31       ` Pablo Neira Ayuso
2012-11-27 13:09         ` Florian Westphal
2012-11-27 14:13           ` Pablo Neira Ayuso
2012-11-27 14:24             ` Florian Westphal
2012-11-30 13:58               ` Pablo Neira Ayuso
2012-11-30 14:02                 ` Florian Westphal
2012-11-30 18:34                   ` Pablo Neira Ayuso
2012-11-30 21:36                     ` Florian Westphal [this message]
2012-12-03 11:04                       ` Pablo Neira Ayuso
2012-12-03 11:13                         ` Florian Westphal
2012-12-03 12:58                           ` Pablo Neira Ayuso
2012-11-27 12:39   ` Pablo Neira Ayuso
2012-11-16 10:02 ` [PATCH 0/3] netfilter: add connlabel conntrack extension Pablo Neira Ayuso
2012-11-16 11:31   ` Florian Westphal
2012-11-16 11:52     ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20121130213631.GE31969@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.