From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf 00/17] netfilter: xtables: stricter ruleset validation
Date: Fri, 8 Apr 2016 13:59:05 +0200 [thread overview]
Message-ID: <20160408115905.GA7001@breakpoint.cc> (raw)
In-Reply-To: <20160408115818.GA6954@salvia>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Apr 01, 2016 at 02:17:20PM +0200, Florian Westphal wrote:
> > This series adds more checks on xtables (arp, ip, ip6tables) rulesets.
> >
> > - check all offsets (target, next) of all rules during initial pass
> > after copy from userspace.
> > - check targets of jumps (-j bla): offset should be start of a rule
> > - assert that alleged target size is at least as big as minimum target
> > structure
> > - change CONFIG_COMPAT code path to push ruleset via normal setsockopt
> > path after initial 32->64 bit conversion to avoid duplicating checks
> > - use a common helper to copy counters from userspace instead of
> > the ip/ip6/arp implementation.
> >
> > Tested:
> > - iptables.git iptables-test.py passes
> > - made a few performance tests w. really silly rulesets to verify
> > that things don't slow down too much, see individual patches for details.
> >
> > include/linux/netfilter/x_tables.h | 12 +
> > net/ipv4/netfilter/arp_tables.c | 303 ++++++++++------------------------
> > net/ipv4/netfilter/ip_tables.c | 327 +++++++++----------------------------
> > net/ipv6/netfilter/ip6_tables.c | 320 ++++++++----------------------------
> > net/netfilter/x_tables.c | 244 +++++++++++++++++++++++++++
> > 5 files changed, 506 insertions(+), 700 deletions(-)
>
> Nice work, and we got less code to maintain, good :)
>
> I'm starting to consider that, given that this has been broken since
> day 1, we pass this through nf-next and then later on we request
> inclusion for -stable.
Fine with me.
next prev parent reply other threads:[~2016-04-08 11:59 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-01 12:17 [PATCH nf 00/17] netfilter: xtables: stricter ruleset validation Florian Westphal
2016-04-01 12:17 ` [PATCH nf 01/17] netfilter: x_tables: don't move to non-existent next rule Florian Westphal
2016-04-01 12:17 ` [PATCH nf 02/17] netfilter: x_tables: validate targets of jumps Florian Westphal
2016-04-01 12:24 ` Jan Engelhardt
2016-04-01 12:17 ` [PATCH nf 03/17] netfilter: x_tables: add and use xt_check_entry_offsets Florian Westphal
2016-04-01 12:17 ` [PATCH nf 04/17] netfilter: x_tables: kill check_entry helper Florian Westphal
2016-04-01 12:17 ` [PATCH nf 05/17] netfilter: x_tables: assert minimum target size Florian Westphal
2016-04-01 12:17 ` [PATCH nf 06/17] netfilter: x_tables: add compat version of xt_check_entry_offsets Florian Westphal
2016-04-01 12:17 ` [PATCH nf 07/17] netfilter: x_tables: check standard target size too Florian Westphal
2016-04-01 12:17 ` [PATCH nf 08/17] netfilter: x_tables: check for bogus target offset Florian Westphal
2016-04-01 12:17 ` [PATCH nf 09/17] netfilter: x_tables: validate all offsets and sizes in a rule Florian Westphal
2016-04-01 12:17 ` [PATCH nf 10/17] netfilter: ip_tables: simplify translate_compat_table args Florian Westphal
2016-04-01 12:17 ` [PATCH nf 11/17] netfilter: ip6_tables: " Florian Westphal
2016-04-01 12:17 ` [PATCH nf 12/17] netfilter: arp_tables: " Florian Westphal
2016-04-01 12:17 ` [PATCH nf 13/17] netfilter: x_tables: xt_compat_match_from_user doesn't need a retval Florian Westphal
2016-04-01 12:17 ` [PATCH nf 14/17] netfilter: x_tables: do compat validation via translate_table Florian Westphal
2016-04-01 12:17 ` [PATCH nf 15/17] netfilter: x_tables: remove obsolete overflow check for compat case too Florian Westphal
2016-04-01 12:17 ` [PATCH nf 16/17] netfilter: x_tables: remove obsolete check Florian Westphal
2016-04-01 12:17 ` [PATCH nf 17/17] netfilter: x_tables: introduce and use xt_copy_counters_from_user Florian Westphal
2016-04-01 12:52 ` kbuild test robot
2016-04-01 13:06 ` kbuild test robot
2016-04-01 13:33 ` kbuild test robot
2016-04-01 13:37 ` [PATCH v2 " Florian Westphal
2016-04-08 11:58 ` [PATCH nf 00/17] netfilter: xtables: stricter ruleset validation Pablo Neira Ayuso
2016-04-08 11:59 ` Florian Westphal [this message]
2016-04-12 21:54 ` Pablo Neira Ayuso
2016-04-13 22:33 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160408115905.GA7001@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.