From: Daniel Mack <daniel@zonque.org>
To: Daniel Borkmann <daniel@iogearbox.net>,
Pablo Neira Ayuso <pablo@netfilter.org>
Cc: fw@strlen.de, a.perevalov@samsung.com, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next 2/2] netfilter: x_tables: fix cgroup's NF_INET_LOCAL_IN sk lookups
Date: Wed, 25 Mar 2015 22:54:48 +0100 [thread overview]
Message-ID: <55132EA8.1060603@zonque.org> (raw)
In-Reply-To: <551329FA.4030002@iogearbox.net>
On 03/25/2015 10:34 PM, Daniel Borkmann wrote:
> On 03/25/2015 09:26 PM, Pablo Neira Ayuso wrote:
>> So this is basically needed when early demux is disabled?
>>
>> This is a rather large rework, I would like to know what scenarios
>> we're not currently catching with the existing code.
>
> Hm, perhaps Daniel can elaborate better, what I have seen in my
> testing when xt_cgroup fails to match the cgroup on ingress traffic
> is i) early demux sysctl disabled, ii) udp on unconnected sockets
> (which I understand is the majority of udp traffic), iii) tcp and
> udp (any kind) on localhost communications. Daniel's original report
> can be found here [1].
Currently, ingress matching fails if the xt_cgroup module's match
callback is called with skb->sk == NULL, which is the case in the
scenarios described above. Also, according to Cong, this is as well
always the case if the ingress network device is 'lo'.
We want to use xt_cgroup to realize a per-application firewall for both
filtering and accounting. For this, being able to catch every network
packet that is destined for or originated by a task that is assigned to
a certain net_cls CGroup controller is essential. Also, the match has to
be effective regardless of the network interface in use.
In my tests, Daniel's patches work perfectly fine.
Thanks,
Daniel
next prev parent reply other threads:[~2015-03-25 21:54 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-24 15:30 [PATCH nf-next 0/2] xt_cgroups fix Daniel Borkmann
2015-03-24 15:30 ` [PATCH nf-next 1/2] netfilter: x_tables: refactor lookup helpers from xt_socket Daniel Borkmann
2015-03-24 15:30 ` [PATCH nf-next 2/2] netfilter: x_tables: fix cgroup's NF_INET_LOCAL_IN sk lookups Daniel Borkmann
2015-03-25 16:03 ` Pablo Neira Ayuso
2015-03-25 16:39 ` Daniel Borkmann
2015-03-25 17:17 ` Pablo Neira Ayuso
2015-03-25 17:27 ` Daniel Borkmann
2015-03-25 20:26 ` Pablo Neira Ayuso
2015-03-25 21:34 ` Daniel Borkmann
2015-03-25 21:54 ` Daniel Mack [this message]
2015-03-24 15:42 ` [PATCH nf-next 0/2] xt_cgroups fix Florian Westphal
2015-03-24 15:58 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55132EA8.1060603@zonque.org \
--to=daniel@zonque.org \
--cc=a.perevalov@samsung.com \
--cc=daniel@iogearbox.net \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.