lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 7 May 2013 15:23:26 +0200
From:	Antonio Quartulli <antonio@...n-mesh.com>
To:	Jamal Hadi Salim <jhs@...atatu.com>
CC:	"David S. Miller" <davem@...emloft.net>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: Using skb->mark outside netfilter

Hi Jamal,

On Tue, May 07, 2013 at 06:04:18 -0700, Jamal Hadi Salim wrote:
> On 13-05-06 02:48 PM, Antonio Quartulli wrote:
> 
> >
> > Now to extend this mechanism network-wide (remember that the use case is a Layer2
> > mesh network set up with batman-adv) I'm going to introduce a mechanism in
> > batman-adv itself which is supposed to read and write the skb->mark field
> > so that the value contained when the packet is leaving one end can be restored
> > later on the other end of the intra-mesh communication (only if it matches a pre
> > configured one).
> > This would allow the remote node to perform the same filtering
> > operation as if the packet was locally generated.
> >
> 
> Nice idea.
> How do you encode the mark in the batman header?

The mark is not really encoded in the batman header.

Each node is configured with a mark value (the values have to be the same on
everynode in order to make the mechanism work correctly), then batman-adv will
advertise to the rest of the mesh which host is sending marked packets.

Receiving nodes will then restore the mark in the skb each time it is coming from
one of those advertised hosts.

A future feature may consists in carrying the mark directly into the header so
that batman-adv itself does not have to take care about the meaning of such
value but will just carry it (we still have to think about it...it is just an
idea now)

> >
> > To clarify the idea, here you have an ascii art representing a possible setup
> > and how the mark will be read and set:
> 
> Looks sane to me.
> 

Thanks a lot!
I will use it :)


Cheers,

-- 
Antonio Quartulli

..each of us alone is worth nothing..
Ernesto "Che" Guevara

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ