From: Florian Westphal <fw@strlen.de>
To: Daniel Mack <daniel@zonque.org>
Cc: pablo@netfilter.org, daniel@iogearbox.net,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
fw@strlen.de, balazs.scheidler@balabit.com
Subject: Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type
Date: Tue, 29 Sep 2015 23:19:59 +0200 [thread overview]
Message-ID: <20150929211959.GF19923@breakpoint.cc> (raw)
In-Reply-To: <1443525140-13493-4-git-send-email-daniel@zonque.org>
Daniel Mack <daniel@zonque.org> wrote:
> Add a new chain type NF_INET_LOCAL_SOCKET_IN which is ran after the
> input demux is complete and the final destination socket (if any)
> has been determined.
>
> This helps filtering packets based on information stored in the
> destination socket, such as cgroup controller supplied net class IDs.
This still seems like the 'x y' problem ("want to do X, think Y is
correct solution; ask about Y, but thats a strange thing to do").
There is nothing that this offers over INPUT *except* that sk is
available. But there is zero benefit as far as I am concerned --
why would you want to do any meaningful filtering based on the sk at
that point...?
Drop? Makes no sense, else application would not be running in the first
place.
Allowing response packets? Can already do that with conntrack.
So the only 'benefit' is that netcls id is available; but
a) why is that even needed and
b) is such a huge sledgehammer just for net cgroup accounting
worth it?
Another question is what other strange things come up once we would
open this door.
> listening on a specific task, the resulting error code that is sent
> back to the remote peer can't be controlled with rules in
> NF_INET_LOCAL_SOCKET_IN chains.
Right, and that makes this even weirder.
For deterministic ingress filtering you can only rely on what
is contained in the packet.
next prev parent reply other threads:[~2015-09-29 21:20 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-29 11:12 [PATCH RFC 0/7] netfilter: introduce new chain type for local socket input Daniel Mack
2015-09-29 11:12 ` [PATCH RFC 1/7] netfilter: add socket to struct nft_pktinfo Daniel Mack
2015-09-29 18:25 ` Eric W. Biederman
2015-09-29 11:12 ` [PATCH RFC 2/7] netfilter: nft_meta: look at pkt->sk rather than skb->sk Daniel Mack
2015-09-29 13:37 ` kbuild test robot
2015-09-29 11:12 ` [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type Daniel Mack
2015-09-29 21:19 ` Florian Westphal [this message]
2015-09-30 7:24 ` Daniel Mack
2015-09-30 7:40 ` Jan Engelhardt
2015-09-30 8:54 ` Daniel Mack
2015-09-30 21:48 ` Florian Westphal
2015-10-01 9:04 ` Daniel Mack
2015-10-01 17:13 ` Marcelo Ricardo Leitner
2015-10-01 21:07 ` Daniel Mack
2015-10-01 21:34 ` Marcelo Ricardo Leitner
2015-10-02 11:07 ` Pablo Neira Ayuso
2015-10-02 13:52 ` Daniel Mack
2015-09-29 11:12 ` [PATCH RFC 4/7] net: tcp_ipv4, udp_ipv4: hook up LOCAL_SOCKET_IN netfilter chains Daniel Mack
2015-09-29 11:12 ` [PATCH RFC 5/7] net: tcp_ipv6, udp_ipv6: " Daniel Mack
2015-09-29 11:12 ` [PATCH RFC 6/7] net: sctp: " Daniel Mack
2015-09-29 11:12 ` [PATCH RFC 7/7] net: dccp: " Daniel Mack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150929211959.GF19923@breakpoint.cc \
--to=fw@strlen.de \
--cc=balazs.scheidler@balabit.com \
--cc=daniel@iogearbox.net \
--cc=daniel@zonque.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).