From: Florian Westphal <fw@strlen.de>
To: Patrick McHardy <kaber@trash.net>
Cc: Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Michal Kubecek <mkubecek@suse.cz>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
netfilter-devel@vger.kernel.org, linux-sctp@vger.kernel.org,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>
Subject: Re: [RFC PATCH -next] netfilter: nf_ct_sctp: validate vtag for new conntrack entries
Date: Thu, 26 Nov 2015 15:07:26 +0000 [thread overview]
Message-ID: <20151126150726.GD32716@breakpoint.cc> (raw)
In-Reply-To: <20151126144916.GJ16828@macbook.localdomain>
Patrick McHardy <kaber@trash.net> wrote:
> Yeah, my main concern is that this requires the user to know about protocol
> modules, details about how the distribution build the kernel etc.
Yep, sucks.
> main reason for this problem to exists is exactly because users *don't* know
> about this, so I'm questioning whether this really solves it.
>
> The =y case is easy, it will work. The =m case should probably at least be
> handled automatically. And then =n case is impossible to solve correctly
> and therefore probably should not be possible.
With you so far.
> I think the question during configuration should be "SCTP support y/n/m".
> We would then select the sctp match, build the SCTP conntrack into the
> conntrack core the SCTP NAT into the NAT core and the problem can not
> occur anymore. Same thing for other protocols. If the user selects n,
> no SCTP conntrack, no SCTP match.
So you'd propose that one can have
SCTP_MATCH=y
CONNTRACK=n
but not:
SCTP_MATCH=y
CONNTRACK=y
SCTP_CONNTRACK=n
IOW, make SCTP_CONNTRACK a non-visible symbol that
just glues sctp conntrack to the conntrack core when
both conntrack and sctp match is selected.
> Alternatively, as I believe Pablo suggested, we can simply put all conntrack
> modules inside the core.
I would prefer to NOT force people to use extra connection tracking code
for sctp if they don't need it.
Most distributions will ship with all of this as '=m', but IMHO its safe
to assume that most users will in fact not use sctp (but conntrack for
udp and tcp).
WARNING: multiple messages have this Message-ID (diff)
From: Florian Westphal <fw@strlen.de>
To: Patrick McHardy <kaber@trash.net>
Cc: Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Michal Kubecek <mkubecek@suse.cz>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
netfilter-devel@vger.kernel.org, linux-sctp@vger.kernel.org,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>
Subject: Re: [RFC PATCH -next] netfilter: nf_ct_sctp: validate vtag for new conntrack entries
Date: Thu, 26 Nov 2015 16:07:26 +0100 [thread overview]
Message-ID: <20151126150726.GD32716@breakpoint.cc> (raw)
In-Reply-To: <20151126144916.GJ16828@macbook.localdomain>
Patrick McHardy <kaber@trash.net> wrote:
> Yeah, my main concern is that this requires the user to know about protocol
> modules, details about how the distribution build the kernel etc.
Yep, sucks.
> main reason for this problem to exists is exactly because users *don't* know
> about this, so I'm questioning whether this really solves it.
>
> The =y case is easy, it will work. The =m case should probably at least be
> handled automatically. And then =n case is impossible to solve correctly
> and therefore probably should not be possible.
With you so far.
> I think the question during configuration should be "SCTP support y/n/m".
> We would then select the sctp match, build the SCTP conntrack into the
> conntrack core the SCTP NAT into the NAT core and the problem can not
> occur anymore. Same thing for other protocols. If the user selects n,
> no SCTP conntrack, no SCTP match.
So you'd propose that one can have
SCTP_MATCH=y
CONNTRACK=n
but not:
SCTP_MATCH=y
CONNTRACK=y
SCTP_CONNTRACK=n
IOW, make SCTP_CONNTRACK a non-visible symbol that
just glues sctp conntrack to the conntrack core when
both conntrack and sctp match is selected.
> Alternatively, as I believe Pablo suggested, we can simply put all conntrack
> modules inside the core.
I would prefer to NOT force people to use extra connection tracking code
for sctp if they don't need it.
Most distributions will ship with all of this as '=m', but IMHO its safe
to assume that most users will in fact not use sctp (but conntrack for
udp and tcp).
next prev parent reply other threads:[~2015-11-26 15:07 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-25 19:13 [RFC PATCH -next] netfilter: nf_ct_sctp: validate vtag for new conntrack entries Marcelo Ricardo Leitner
2015-11-25 19:13 ` Marcelo Ricardo Leitner
2015-11-25 19:42 ` Pablo Neira Ayuso
2015-11-25 19:42 ` Pablo Neira Ayuso
2015-11-25 20:20 ` Marcelo Ricardo Leitner
2015-11-25 20:20 ` Marcelo Ricardo Leitner
2015-11-25 20:58 ` Michal Kubecek
2015-11-25 20:58 ` Michal Kubecek
2015-11-26 9:51 ` Pablo Neira Ayuso
2015-11-26 9:51 ` Pablo Neira Ayuso
2015-11-26 12:52 ` Marcelo Ricardo Leitner
2015-11-26 12:52 ` Marcelo Ricardo Leitner
2015-11-26 14:15 ` Patrick McHardy
2015-11-26 14:33 ` Florian Westphal
2015-11-26 14:33 ` Florian Westphal
2015-11-26 14:49 ` Patrick McHardy
2015-11-26 15:07 ` Florian Westphal [this message]
2015-11-26 15:07 ` Florian Westphal
2015-11-26 15:11 ` Patrick McHardy
2015-11-26 15:12 ` Pablo Neira Ayuso
2015-11-26 15:12 ` Pablo Neira Ayuso
2015-11-26 15:24 ` Patrick McHardy
2015-11-26 15:54 ` Pablo Neira Ayuso
2015-11-26 15:54 ` Pablo Neira Ayuso
2015-11-26 16:02 ` Patrick McHardy
2015-11-26 16:15 ` Pablo Neira Ayuso
2015-11-26 16:15 ` Pablo Neira Ayuso
2015-11-26 16:25 ` Patrick McHardy
2015-11-26 16:43 ` Pablo Neira Ayuso
2015-11-26 16:43 ` Pablo Neira Ayuso
2015-11-26 16:53 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151126150726.GD32716@breakpoint.cc \
--to=fw@strlen.de \
--cc=kaber@trash.net \
--cc=linux-sctp@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=mkubecek@suse.cz \
--cc=netfilter-devel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=pablo@netfilter.org \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.