From: John Haxby <john.haxby@oracle.com>
To: Florian Westphal <fw@strlen.de>
Cc: Prarit Bhargava <prarit@redhat.com>,
David Miller <davem@davemloft.net>,
fbl@redhat.com, netdev@vger.kernel.org, agospoda@redhat.com,
nhorman@redhat.com, lwoodman@redhat.com
Subject: Re: [PATCH]: Add Network Sysrq Support
Date: Wed, 22 Jun 2011 13:37:17 +0100 [thread overview]
Message-ID: <4E01E1FD.8010802@oracle.com> (raw)
In-Reply-To: <20110622105434.GE16021@Chamillionaire.breakpoint.cc>
On 22/06/11 11:54, Florian Westphal wrote:
> Prarit Bhargava <prarit@redhat.com> wrote:
>
> [ cc'd John Haxby, who worked on xt_SYSREQ ]
>
>> On 06/21/2011 06:58 PM, David Miller wrote:
>>> From: Florian Westphal <fw@strlen.de>
>>> Date: Wed, 22 Jun 2011 00:56:45 +0200
>>>> This is one of the reasons why I still think that
>>>> xt_SYSREQ would be the better solution, you get all
>>>> kinds of filtering features for free.
>>>>
>>>> You could even use crazy things like '-m time' to restrict
>>>> sysreq availability to working hours and whatnot.
>>>>
>>> Agreed.
>> Using the netfilter xt-SYSRQ code seems to store the entered code and
>> execute it later after the system has returned to a normal state....
>> which is much too late to be useful.
> The target handler of the kernel part invokes handle_sysrq(),
> I don't see any delaying/queueing?
>
> FWIW, the old discussion is in the archives:
> search for subject "nf-next: sysrq and condition 20100421" from Jan
> Engelhardt, or try
> http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/33615/focus=34808
>
> As far as i understand the use case described by John Haxby matches yours.
>
> Patrick McHardy suggested an alternative standalone method involving
> encapsulation sockets; perhaps the reasons why this path was not chosen
> have changed.
>
> I think that a standalone module (i.e. not requiring netfilter) that
> runs the sysreq handling after all netfilter hooks would be optimal,
> but I don't see a simple method to implement that.
The xt_SYSRQ calls handle_sysrq() in BH context, much the same context
as ping is handled in. (Actually, it's likely xt_SYSRQ will work even
if ping doesn't since nothing has to come back.)
It's possible for xt_SYSRQ to fail. My usual case for failure was
simply not enabling it :-) However, as you typically have to fight your
way through iptables to get to xt_SYSRQ then you can get into trouble
that way.
Although I wasn't sure that it could happen, it's also possible that the
cryptographic functions can get in your way. xt_SYSRQ does its best to
avoid problems by pre-allocating everything it can so there is as little
as possible to do when it is needed, but it is possible for it to fail.
The module that Patrick McHardy suggested works up to a point:
handle_sysrq() can still be called in BH context but unfortunately I
couldn't get it working for IPv6: the necessary hook isn't implemented
for IPv6 (or rather, it wasn't, I don't know if something has changed
since then).
jch
next prev parent reply other threads:[~2011-06-22 12:37 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-21 13:00 [PATCH]: Add Network Sysrq Support Prarit Bhargava
2011-06-21 17:08 ` Stephen Hemminger
2011-06-21 18:30 ` Neil Horman
2011-06-21 20:09 ` Randy Dunlap
2011-06-21 20:37 ` Florian Westphal
2011-06-21 20:46 ` Randy Dunlap
2011-06-21 22:12 ` Prarit Bhargava
2011-06-21 22:05 ` Flavio Leitner
2011-06-21 22:26 ` Prarit Bhargava
2011-06-21 23:32 ` Flavio Leitner
2011-06-21 22:56 ` Florian Westphal
2011-06-21 22:58 ` David Miller
2011-06-22 10:26 ` Prarit Bhargava
2011-06-22 10:35 ` David Miller
2011-06-22 10:42 ` Prarit Bhargava
2011-06-22 10:54 ` Florian Westphal
2011-06-22 12:19 ` Prarit Bhargava
2011-06-22 12:37 ` John Haxby [this message]
2011-06-22 17:39 ` Prarit Bhargava
2011-06-22 18:46 ` John Haxby
2011-06-22 20:29 ` David Miller
2011-06-22 18:57 ` John Haxby
2011-06-22 20:27 ` David Miller
2011-06-24 14:37 ` John Haxby
2011-06-22 7:55 ` WANG Cong
2011-06-22 15:29 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E01E1FD.8010802@oracle.com \
--to=john.haxby@oracle.com \
--cc=agospoda@redhat.com \
--cc=davem@davemloft.net \
--cc=fbl@redhat.com \
--cc=fw@strlen.de \
--cc=lwoodman@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@redhat.com \
--cc=prarit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).