Re: RFC: Ideas about possible solutions for nfbz#949

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>,
	netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>
Subject: Re: RFC: Ideas about possible solutions for nfbz#949
Date: Mon, 29 May 2017 19:52:18 +0200	[thread overview]
Message-ID: <20170529175218.GA19201@salvia> (raw)
In-Reply-To: <20170510153429.GZ20805@orbyte.nwl.cc>

Hi Phil,

I'm recovering this RFC that got lost in the pile.

On Wed, May 10, 2017 at 05:34:29PM +0200, Phil Sutter wrote:
> Hi,
> 
> Netfilter Bugzilla #949[1] complains about broken output when trying to
> match icmpv6 message fields. This is a problem in how payload match is
> implemented in nft: The given match (e.g. 'icmp6 id 2') is broken down
> to a simple match of header data at a specific offset. Sadly this does
> not work with ICMP(v6) since header structure depends on the packet's
> ICMP type and on return path there is no information about which type of
> message the user wanted to match against.

Right, this is a longstanding bug.

> My idea was to build something like the protocol dependencies we have
> for e.g. TCP header fields but with ICMP, a given header field might be
> present in multiple message types (e.g. icmp6_id is present in echo
> request as well as reply).

You mean adding more instructions when generating bytecode? This has
runtime overhead, just to provide context for just listing the
ruleset. I would prefer we skip this.

> I already considered inserting a match for icmp6 type against an
> anonymous set (like 'icmp6 type { echo-request, echo-reply }'), but
> having this as an implicit dependency and resolving with previous
> matches, etc. becomes pretty complex.
> 
> Do you think I should try following a different approach (via userdata
> e.g.)?

I think you should try adding some context structure to the
expr_print(), this context can be used to interpret this offset based
on the icmp type.

Someone (Elise?) send me a patch to add this context structure, just
to prepare introduction, but she got stuck in the context update
logic at some point. I can find such patch so you only have to figure
out how to annotate the information we need in this context structure.

next prev parent reply	other threads:[~2017-05-29 17:52 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-10 15:34 RFC: Ideas about possible solutions for nfbz#949 Phil Sutter
2017-05-29 17:52 ` Pablo Neira Ayuso [this message]
2017-05-30 11:04   ` Phil Sutter
2017-05-30 12:08     ` Pablo Neira Ayuso
2017-06-23 14:03       ` Phil Sutter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170529175218.GA19201@salvia \
    --to=pablo@netfilter.org \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=phil@nwl.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.