From: David Miller <davem@davemloft.net>
To: ast@plumgrid.com
Cc: pablo@netfilter.org, dborkman@redhat.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, willemb@google.com,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH net-next] net: filter: rename 'struct sk_filter' to 'struct bpf_prog'
Date: Mon, 28 Jul 2014 18:16:21 -0700 (PDT) [thread overview]
Message-ID: <20140728.181621.1196619942413270695.davem@davemloft.net> (raw)
In-Reply-To: <CAMEtUuyuxfs7Liy_HCDijUX9Q8yziY2kt0XCpJtXUyMR1P941Q@mail.gmail.com>
From: Alexei Starovoitov <ast@plumgrid.com>
Date: Mon, 28 Jul 2014 18:12:05 -0700
> On Mon, Jul 28, 2014 at 2:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>>> > struct sk_filter_cb {
>>> > int type;
>>> > struct module *me;
>>> > void (*charge)(struct sock *sk, struct sk_filter *fp);
>>> > void (*uncharge)(struct sock *sk, struct sk_filter *fp);
>>> > unsigned int (*run_filter)(struct sk_filter *fp, struct sk_buff *skb);
>>> > };
>>>
>>> Pablo,
>>>
>>> I don't think you understand the scope of BPF.
>>> 'struct module *'? to attach nft to sockets? ouch.
>>
>> The idea is that there will be one sk_filter_cb per socket filtering
>> approach. The structure module is just there in case one of the
>> approach is loadable as kernel module, it's the typical code pattern
>> in the kernel. You can git grep for similar code.
>
> socket filtering is available to unprivileged users.
> So you're proposing to let them increment refcnt of modules?!
> That's not secure.
It's impossible to avoid, and really is nothing new.
Users can open sockets, and that holds a reference to the module
implementing that protocol. Is that not secure too?
This discussion is degenerating into nonsense, please stop ignoring
Pablo's core points.
Thanks.
next prev parent reply other threads:[~2014-07-29 1:16 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1406275499-7822-1-git-send-email-ast@plumgrid.com>
[not found] ` <53D23EAF.4000001@redhat.com>
2014-07-25 11:54 ` [PATCH net-next] net: filter: rename 'struct sk_filter' to 'struct bpf_prog' Pablo Neira Ayuso
2014-07-25 13:00 ` Daniel Borkmann
2014-07-25 17:24 ` Alexei Starovoitov
2014-07-25 22:17 ` Pablo Neira Ayuso
2014-07-27 5:41 ` Alexei Starovoitov
2014-07-28 21:45 ` Pablo Neira Ayuso
2014-07-29 0:12 ` David Miller
2014-07-29 1:12 ` Alexei Starovoitov
2014-07-29 1:16 ` David Miller [this message]
2014-07-25 13:53 ` Willem de Bruijn
2014-07-25 17:27 ` Alexei Starovoitov
2014-07-25 18:32 ` Willem de Bruijn
2014-07-25 18:43 ` Alexei Starovoitov
2014-07-25 18:50 ` Willem de Bruijn
2014-07-25 18:58 ` Alexei Starovoitov
2014-07-25 19:02 ` Alexei Starovoitov
2014-07-25 22:20 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140728.181621.1196619942413270695.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=ast@plumgrid.com \
--cc=dborkman@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).