From: Christian Grothoff <grothoff@in.tum.de>
To: Andi Kleen <andi@firstfloor.org>
Cc: Stephen Hemminger <stephen@networkplumber.org>,
David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
knock@gnunet.org, jacob@appelbaum.net
Subject: Re: [PATCH] TCP: add option for silent port knocking with integrity protection
Date: Wed, 11 Dec 2013 23:53:41 +0100 [thread overview]
Message-ID: <52A8ECF5.3070604@in.tum.de> (raw)
In-Reply-To: <87bo0nulkt.fsf@tassilo.jf.intel.com>
On 12/11/2013 10:25 PM, Andi Kleen wrote:
> Stephen Hemminger <stephen@networkplumber.org> writes:
>>
>> The point is that doing it outside of TCP core is safer, less error prone
>> and more flexible.
>
> Or to put the question differently: what hooks would be needed to make
> this efficiently work in user space?
>
> It could be something like this: Firewall the port with forwarding the
> SYN packets using nfqueue, check for the SYN having the right magic,
> change a firewall rule, re-inject using nfqueue (not fully sure how
> well that works)
... and then do the same for the first TCP packet with payload? And you
seriously would consider that "safer" or "less error prone", starting
with the design complexity? I mean, if this was a patch for GNU Hurd,
I'd at least understand the strong urge to do everything in userspace...
next prev parent reply other threads:[~2013-12-11 22:53 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-10 18:35 [PATCH] TCP: add option for silent port knocking with integrity protection Christian Grothoff
2013-12-11 20:01 ` David Miller
2013-12-11 20:19 ` Christian Grothoff
2013-12-11 20:26 ` Stephen Hemminger
2013-12-11 20:39 ` Christian Grothoff
2013-12-11 21:25 ` Andi Kleen
2013-12-11 22:53 ` Christian Grothoff [this message]
2013-12-12 1:23 ` Andi Kleen
2013-12-12 10:19 ` Jacob Appelbaum
2013-12-12 11:43 ` Christian Grothoff
2013-12-12 12:23 ` Jacob Appelbaum
2013-12-12 14:34 ` Eric Dumazet
2013-12-12 15:07 ` Christian Grothoff
2013-12-12 15:33 ` Eric Dumazet
2013-12-12 15:46 ` Hannes Frederic Sowa
2013-12-13 3:07 ` Hannes Frederic Sowa
2014-08-19 19:36 ` Alexander Holler
2014-08-20 8:24 ` Hagen Paul Pfeifer
2014-08-20 9:07 ` Alexander Holler
2014-08-20 9:28 ` Hagen Paul Pfeifer
2014-08-20 9:47 ` Alexander Holler
2014-08-20 10:20 ` Alexander Holler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52A8ECF5.3070604@in.tum.de \
--to=grothoff@in.tum.de \
--cc=andi@firstfloor.org \
--cc=davem@davemloft.net \
--cc=jacob@appelbaum.net \
--cc=knock@gnunet.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).