From: Patrick McHardy <kaber@trash.net>
To: Henrik Nordstrom <hno@marasystems.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH 2.6 0/12]: netfilter update
Date: Mon, 27 Sep 2004 01:19:13 +0200 [thread overview]
Message-ID: <41574E71.4060601@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.61.0409262359430.7707@filer.marasystems.com>
Henrik Nordstrom wrote:
> On Sun, 26 Sep 2004, Patrick McHardy wrote:
>
>> We confirm conntrack entries in LOCAL_IN after they passed all hooks,
>> but this new set of hooks would be after LOCAL_IN, so conntrack entries
>> should be confirmed there.
>
>
> Right. THis would also ensure that connections not picked up by the
> host does not get confirmed, but there is many complications if
> attempting this path.
>
> - It must be fully assured no packets is silently accepted by the host
> without entering this new hook.
ipip and gre don't have sockets, they could call the hook with
sk = NULL. Some icmp types are processed without a socket, same
here. Packets without a protocol or raw-socket for that protocol
are dropped in ip_local_deliver_finish, another hook would be
required there. With all this, the existing LOCAL_IN hook becomes
pratically useless. So we could just extend the existing NF_HOOK
macro by an "sk" argument. In LOCAL_OUT, it would be set to skb->sk
and, for symetry, to NULL in POST_ROUTING. One big advantage of
this is that it would allow filtering packets from a transport
mode SA without reinjecting them into the stack. I think I have
to try it to see how ugly it gets :)
>
> - Fragmented packets is again an issue.
Fragmentation is not a problem, packets are already defragmented
when received on a socket.
>> I agree. But I wonder if its worth it just for having the owner match
>> work in the input path, or if there are other uses for these hooks.
>
>
> Not sure either. But then it is also the case I have never really been
> sure about the current independent relation of conntrack and the local
> host sockets..
The socket could cache the conntrack entry, but then you
run into problems with icmp and tcp, who uses the same socket
(per-CPU in case of icmp) for replies generated by the kernel
(RST, icmp reply, ...). Other than that, I don't see any
advantage, we would still need the socket independent code for
forwarded packets.
Regards
Patrick
prev parent reply other threads:[~2004-09-26 23:19 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-21 3:20 [PATCH 2.6 0/12]: netfilter update Patrick McHardy
2004-09-21 21:36 ` David S. Miller
2004-09-21 23:38 ` Patrick McHardy
2004-09-22 0:18 ` David S. Miller
2004-09-22 1:42 ` Patrick McHardy
2004-09-24 22:40 ` David S. Miller
2004-09-26 19:43 ` Patrick McHardy
2004-09-26 21:45 ` Henrik Nordstrom
2004-09-26 21:56 ` Patrick McHardy
2004-09-26 22:08 ` Henrik Nordstrom
2004-09-26 23:19 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41574E71.4060601@trash.net \
--to=kaber@trash.net \
--cc=hno@marasystems.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.