Re: [PATCH 2.6 0/12]: netfilter update

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: "David S. Miller" <davem@redhat.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH 2.6 0/12]: netfilter update
Date: Sun, 26 Sep 2004 21:43:08 +0200	[thread overview]
Message-ID: <41571BCC.2050909@trash.net> (raw)
In-Reply-To: <20040924154032.5a0c32e1.davem@redhat.com>

David S. Miller wrote:

>I think the scheme is a bit illogical.
>
>Until the actual TCP socket lookup call, you cannot say for sure
>what that lookup would result in.
>
>For example, let's say that between where the ipt_owner match
>is invoked on input, and the actual call to tcp_v4_rcv(), some
>filtering or other packet mangling scheme changes the IP address
>or ports.  You're going to get different results in ipt_owner()
>than TCP was going to achieve.
>
>It sounds like we want some kind of socket resolution policy check.
>It's starting to get rediculious, as we have two filters _already_
>in that code path, one for the per-socket BPF style filtering, and
>the other for IPSEC.
>
>The IPSEC check is available on output too.
>  
>

It's mainly a problem if the socket is closed or replaced between the
lookup in ipt_owner and the lookup in tcp, for the other cases you
can define the semantic as: the socket that the packet would be
delivered to if the packet is not dropped and none of the keys used
for the lookup are altered.

>I don't see how it's avoidable to add another condition there.
>So what if we had something like:
>
>	NF_SK_HOOK(PF_INET, NF_TCP_IN, sk, skb, skb->dev, NULL,
>		   tcp_v4_rcv_finish)
>
>or something along those lines?  Perhaps you can simplify the
>argument set even further.
>  
>
Unfortunately I have to agree with you, another set of hooks looks
like the only way to solve the race. Let me think some more about
the implications for iptables and ip_conntrack.

Regards
Patrick

next prev parent reply	other threads:[~2004-09-26 19:43 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-09-21  3:20 [PATCH 2.6 0/12]: netfilter update Patrick McHardy
2004-09-21 21:36 ` David S. Miller
2004-09-21 23:38   ` Patrick McHardy
2004-09-22  0:18     ` David S. Miller
2004-09-22  1:42       ` Patrick McHardy
2004-09-24 22:40         ` David S. Miller
2004-09-26 19:43           ` Patrick McHardy [this message]
2004-09-26 21:45             ` Henrik Nordstrom
2004-09-26 21:56               ` Patrick McHardy
2004-09-26 22:08                 ` Henrik Nordstrom
2004-09-26 23:19                   ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41571BCC.2050909@trash.net \
    --to=kaber@trash.net \
    --cc=davem@redhat.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.