From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Darren Willis <djw@google.com>,
Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH] DHCPv6 connection tracker helper
Date: Tue, 14 Feb 2012 01:46:46 +0100 [thread overview]
Message-ID: <20120214004646.GH24194@1984> (raw)
In-Reply-To: <alpine.LNX.2.01.1202130940390.30851@frira.zrqbmnf.qr>
On Mon, Feb 13, 2012 at 10:55:58AM +0100, Jan Engelhardt wrote:
> On Friday 2012-02-10 03:30, Darren Willis wrote:
>
> >+MODULE_ALIAS("ipv6_conntrack_dhcpv6");
>
> I see no use for this one.
>
> >+static int dhcpv6_help(struct sk_buff *skb,
> >+ unsigned int protoff,
> >+ struct nf_conn *ct,
> >+ enum ip_conntrack_info ctinfo)
> >+{
> >+ struct nf_conntrack_expect *exp;
> >+ struct iphdr *iph = ip_hdr(skb);
> >+ if (iph->version == 6) {
> >+ struct ipv6hdr *ip6h = ipv6_hdr(skb);
> >+ if (skb->sk == NULL)
> >+ goto out;
> >+ if (ipv6_addr_is_multicast(&ip6h->daddr)) {
> >+ exp = nf_ct_expect_alloc(ct);
> >+ if (exp == NULL)
> >+ goto out;
> >+ exp->tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
>
> This reeks of http://stackoverflow.com/a/57611/1091587 :)
> And an ip(v4)hdr is not very fruitful in the realm of IPv6.
> How about getting rid of the goto as well, as in
>
> struct nf_conntrack_expect *exp;
> const struct ipv6hdr *iph = ipv6_hdr(skb);
> if (iph->version == 6 || skb->sk == NULL ||
> !ipv6_addr_is_multicast(&iph->daddr))
> return NF_ACCEPT;
> exp = nf_ct_expect_alloc(ct);
> if (exp == NULL)
> return NF_ACCEPT;
> exp->tuple = ...
> ...
> return NF_ACCEPT;
>
>
>
> Something for further separate patches on top:
>
> You probably want to add a test for the skb actually being a
> DHCP message type that desires a reply (DHCPOFFER, etc.)
> before creating the exp.
>
> >+ nf_ct_refresh(ct, skb, timeout * HZ);
> > return NF_ACCEPT;
> >+}
>
> In all cases, NF_ACCEPT is returned - makes some eyebrows raise.
> Upon looking for it, nf_conntrack_ftp.c returns NF_DROP on exp==NULL, so
> should you.
> It is probably a sane thing to also check that the DHCP packet is
> looking valid (packet size, flag combinations, etc.)
>
> Thirdly, your module does not seem to make any attempt (yet) to handle
> the DHCP v6 RECONFIGURE message.
>
> The timeout value for the exp could depend on the message type; RFC
> 3315 defines different timeouts for different message types, up to 600
> seconds for RENEW/REBOUND. (Is 600 seconds a wise thing?)
I agree with Jan's review.
next prev parent reply other threads:[~2012-02-14 0:46 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-10 2:30 [PATCH] DHCPv6 connection tracker helper Darren Willis
2012-02-10 11:18 ` Pablo Neira Ayuso
2012-02-13 4:07 ` Darren Willis
2012-02-13 23:05 ` Pablo Neira Ayuso
2012-02-13 9:55 ` Jan Engelhardt
2012-02-14 0:46 ` Pablo Neira Ayuso [this message]
2012-02-15 9:00 ` Darren Willis
2012-02-15 17:13 ` Jan Engelhardt
2012-02-16 4:56 ` Darren Willis
2012-02-24 17:54 ` Pablo Neira Ayuso
2012-02-27 4:18 ` Darren Willis
2012-02-28 23:54 ` Pablo Neira Ayuso
2012-03-02 3:59 ` Darren Willis
2012-03-03 13:35 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120214004646.GH24194@1984 \
--to=pablo@netfilter.org \
--cc=djw@google.com \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).