lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 8 Jun 2023 12:50:03 -0400
From: Jamal Hadi Salim <jhs@...atatu.com>
To: Florian Westphal <fw@...len.de>
Cc: netdev@...r.kernel.org, kuba@...nel.org, edumazet@...gle.com, 
	davem@...emloft.net, pabeni@...hat.com, xiyou.wangcong@...il.com, 
	jiri@...nulli.us
Subject: Re: [PATCH net v2 0/3] net/sched: act_ipt bug fixes

On Thu, Jun 8, 2023 at 10:03 AM Florian Westphal <fw@...len.de> wrote:
>
> v2: add "Fixes" tags, no other changes, so retaining Simons RvB tag.
>
> While checking if netfilter could be updated to replace selected
> instances of NF_DROP with kfree_skb_reason+NF_STOLEN to improve
> debugging info via drop monitor I found that act_ipt is incompatible
> with such an approach.  Moreover, it lacks multiple sanity checks
> to avoid certain code paths that make assumptions that the tc layer
> doesn't meet, such as header sanity checks, availability of skb_dst
> skb_nfct() and so on.
>
> act_ipt test in the tc selftest still pass with this applied.
>
> I think that we should consider removal of this module, while
> this should take care of all problems, its ipv4 only and I don't
> think there are any netfilter targets that lack a native tc
> equivalent, even when ignoring bpf.
>

I am all for removing it - but i am worried there are users based on
past interactions. Will try to ping some users and see if they
actually were using it. I will send a patch to retire it if it looks
safe.
Unfortunately ipt suffered because we couldnt coordinate between the
netfilter and tc subsystem. In the old days so calling/callee bugs
fixed in the netfilter world find their way into ipt. At some point
that stopped. Also the user space interfacing suffered from similar
issues.

cheers,
jamal

> Florian Westphal (3):
>   net/sched: act_ipt: add sanity checks on table name and hook locations
>   net/sched: act_ipt: add sanity checks on skb before calling target
>   net/sched: act_ipt: zero skb->cb before calling target
>
>  net/sched/act_ipt.c | 70 ++++++++++++++++++++++++++++++++++++++++-----
>  1 file changed, 63 insertions(+), 7 deletions(-)
>
> --
> 2.40.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ