Re: [PATCH net-2.6.26] netlink: make socket filters work on netlink

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: jamal <hadi@cyberus.ca>
To: Patrick McHardy <kaber@trash.net>
Cc: Thomas Graf <tgraf@suug.ch>, David Miller <davem@davemloft.net>,
	shemminger@vyatta.com, netdev@vger.kernel.org
Subject: Re: [PATCH net-2.6.26] netlink: make socket filters work on netlink
Date: Wed, 02 Apr 2008 09:10:52 -0400	[thread overview]
Message-ID: <1207141852.4451.181.camel@localhost> (raw)
In-Reply-To: <47F38002.70005@trash.net>

On Wed, 2008-02-04 at 14:45 +0200, Patrick McHardy wrote:

> Mhh .. we could use a magic nlmsg_pid value (just like zero)
> to indicate it was done on behalf of a process using ioctls or
> some other, non-netlink means. 

In my experience attempting to write user space apps which worry about
whodunnit and filtering in user space (essentially solving similar
problem to what Stephen is attempting to), this non-nl paths have been
the most headache. Every book written on linux network config
demonstrates ifconfig and route utilities. Of course you could put
restrictions with caveats like "my app works only if you used ip or used
ifconfig version 3 which uses netlink" - but that puts a damp in the
whole concept.

> I'm wondering how useful this
> (or any other "whodunit" identifier) would be for filtering
> though, I think you're usually more interested in certain
> objects than certain processes, like all routes to 192.168.0.0/16,
> no matter who changes them.

I think both are of interest.
Historically in routes for example, the interest would be apps/processes
(not direct mapping to processids) that are of interest (eg a route
added by OSPF vs one added by RIP etc). Filtering is done in user space
so you dont repropagate routes added by the "OSPF process" to RIP if
policy says so etc.
That of course has evolved to application name (gated vs zebra vs bird
etc) which implements all of OSPF/RIP/BGP etc and can keep track of
things. Theres further evolution which desires to run multiple instances
of quagga on the same machine etc.
I dont think the processid is the right thing, but some 32 bit id which
maps to a name would be useful or even a static field defined in some
header file. The name serving could be out of the kernel for simplicity
if the process dies and is re-incarnated it knows what to read(some of
these ideas are already in genetlink).

> Unfortunately we can't add a new field to the existing headers
> without breaking things, so anything new would likely be subsystem
> specific.

Agreed, it is a bit too late to change netlink without breaking apps
(and reason i was suggesting i was going to add it to actions/cls).
Essentially even in subsystem specifics it would be an attribute
(transported via TLV).

cheers,
jamal

next prev parent reply	other threads:[~2008-04-02 13:10 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-21 18:05 [PATCH net-2.6.26] netlink: make socket filters work on netlink Stephen Hemminger
2008-03-21 22:47 ` David Miller
2008-03-26 20:19 ` Patrick McHardy
2008-03-31 19:33   ` Stephen Hemminger
2008-03-31 19:40     ` Patrick McHardy
2008-03-31 19:46       ` Stephen Hemminger
2008-03-31 20:07       ` David Miller
2008-03-31 20:15         ` Patrick McHardy
2008-03-31 21:49           ` jamal
2008-04-01 11:52             ` Patrick McHardy
2008-04-01 14:04               ` jamal
2008-04-02 10:00                 ` Patrick McHardy
2008-04-02 11:21                   ` Thomas Graf
2008-04-02 12:01                     ` jamal
2008-04-02 12:09                       ` Patrick McHardy
2008-04-02 12:25                         ` jamal
2008-04-02 12:45                           ` Patrick McHardy
2008-04-02 13:10                             ` jamal [this message]
2008-04-02 14:28                               ` Thomas Graf
2008-04-02 18:12                                 ` jamal
2008-04-02 12:03                     ` Patrick McHardy
2008-04-02 14:09                       ` Thomas Graf
2008-04-02 11:42                   ` jamal
2008-04-02 12:07                     ` Patrick McHardy
2008-04-02 14:05                       ` Thomas Graf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1207141852.4451.181.camel@localhost \
    --to=hadi@cyberus.ca \
    --cc=davem@davemloft.net \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    --cc=shemminger@vyatta.com \
    --cc=tgraf@suug.ch \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).