Re: Expose skb_gso_validate_network_len() [Was: ebtables: load-on-demand extensions]

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Eugene Crosser <crosser@average.org>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Jan Engelhardt <jengelh@inai.de>,
	netfilter-devel@vger.kernel.org
Subject: Re: Expose skb_gso_validate_network_len() [Was: ebtables: load-on-demand extensions]
Date: Sat, 20 Jun 2020 13:04:04 +0200	[thread overview]
Message-ID: <20200620110404.GF26990@breakpoint.cc> (raw)
In-Reply-To: <13977ee9-d93b-62fd-c86a-6c4466f63e38@average.org>

Eugene Crosser <crosser@average.org> wrote:
> On 19/06/2020 17:15, Pablo Neira Ayuso wrote:
> >>>>> Why not make a patch to publicly expose the skb's data via nft_meta?
> >>>>> No more custom modules, no more userspace modifications [..]
> >>>>
> >>>> For our particular use case, we are running the skb through the kernel
> >>>> function `skb_validate_network_len()` with custom mtu size [..]
> 
> (the function name is skb_gso_validate_network_len, my mistake)
> 
> I previously expressed strong opinion that our "hack" to send icmp rejects on
> Layer 2 will not be useful for anyone else. But the existence of the commit from
> Michael Braun proves that I was wrong, and Jan Engelhards was right: it probably
> makes sense to implement the functionality that we need within the "new" nft
> infrastructure.

Yes, just do what Jan suggested and expost this in nft_meta.c

> As far as I understand, the part that is missing in the existing implementation
> is exposure (in some form) of `skb_gso_validate_network_len()` function to
> user-configurable filters.

No, nft already has "< $value" logic.
The only missing piece of the puzzle is a way to populate an nft
register with the "size per segment" value.

> Because the kernel does now expose the _size_ under
> which a gso skb can be segmented, but only the _boolean_ with the meaning "this
> gso skb can fit in mtu that you've specified",

It would be best to remove "static" from skb_gso_network_seglen() and
add an EXPORT_SYMBOL_GPL for it.

Then, extend nft_meta.c to set register content to that for gso
or the ip/ipv6 packet size for !gso.

Then, extend nft to support something like

      nft insert rule bridge filter FORWARD \
        ip frag-off & 0x4000 != 0 \
        ip protocol tcp \
	meta nh_segment_length > 1400 \
        reject with icmp type frag-needed

[ NB: I suck at naming, so feel free to come up
  with somethng more descriptive than "nh_segment_length".
  l3size? nh-len...? ]

next prev parent reply	other threads:[~2020-06-20 11:04 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-16 14:48 ebtables: load-on-demand extensions Eugene Crosser
2020-06-16 15:21 ` Jan Engelhardt
2020-06-16 15:54   ` Eugene Crosser
2020-06-16 16:33     ` Jan Engelhardt
2020-06-19 13:45       ` Eugene Crosser
2020-06-19 15:15         ` Pablo Neira Ayuso
2020-06-19 16:21           ` Eugene Crosser
2020-06-20 10:34           ` Expose skb_gso_validate_network_len() [Was: ebtables: load-on-demand extensions] Eugene Crosser
2020-06-20 11:04             ` Florian Westphal [this message]
2020-06-20 21:16               ` Eugene Crosser
2020-06-21  3:24                 ` Florian Westphal
2020-06-21 10:03                   ` Jan Engelhardt
2020-06-21 18:48                     ` Eugene Crosser
2020-06-21 23:52                     ` Florian Westphal
2020-06-22  4:50                       ` Jan Engelhardt
2020-06-22  7:41                         ` Eugene Crosser

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200620110404.GF26990@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=crosser@average.org \
    --cc=jengelh@inai.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.