Re: netlink socket filtering - Pablo Neira Ayuso

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Patrick McHardy <kaber@trash.net>
Cc: Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>
Subject: Re: netlink socket filtering
Date: Sun, 16 Mar 2008 12:58:25 +0100	[thread overview]
Message-ID: <47DD0B61.3070300@netfilter.org> (raw)
In-Reply-To: <47D568DA.8060006@trash.net>

Patrick McHardy wrote:
> Pablo Neira Ayuso wrote:
>> I link this BSF-based solution, however, would they be flexible enough
>> for my needs? Another question that comes to my mind, isn't this
>> filtering coming to late? I mean, we have to invest time to build the
>> netlink message and then decide if we want to replicate it or not.
> 
> Its quite flexible, but you're right that it only takes place
> after the message has already been constructed. The advantage
> over selective unicast delivery is that if messages are consumed
> by multiple receivers we only need to construct them once.

On most system the number of listener would be usually 2: ulogd and
conntrack-daemon. I remember that someone told during the workshop that
building netlink messages is resource consuming.

> The downside is that messages that will get filtered on all
> sockets are constructed completely unnecessary.

More concerns, if we go BSF, I'll have to implement some kind of
"compiler" to translate user options from conntrackd.conf to BSF code.
Using iptables for this seems to be more user-friendly?

I have a patch here that I'll send you as I have some spare time. It
introduces a nfevent field in the skbuff by using a 2 bytes free hole in
it. Thus, I only have to insert one hook for the 'events' table.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

next prev parent reply	other threads:[~2008-03-16 11:58 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-02 13:36 netlink socket filtering Patrick McHardy
2008-03-05 13:20 ` Pablo Neira Ayuso
2008-03-05 13:22   ` Pablo Neira Ayuso
2008-03-10 16:59   ` Patrick McHardy
2008-03-16 11:58     ` Pablo Neira Ayuso [this message]
2008-03-17 14:51       ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47DD0B61.3070300@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.