lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080331124619.637b574f@extreme>
Date:	Mon, 31 Mar 2008 12:46:19 -0700
From:	Stephen Hemminger <shemminger@...tta.com>
To:	Patrick McHardy <kaber@...sh.net>
Cc:	David Miller <davem@...emloft.net>, Jamal <hadi@...erus.ca>,
	netdev@...r.kernel.org
Subject: Re: [PATCH net-2.6.26] netlink: make socket filters work on netlink

On Mon, 31 Mar 2008 21:40:51 +0200
Patrick McHardy <kaber@...sh.net> wrote:

> Stephen Hemminger wrote:
> > On Wed, 26 Mar 2008 21:19:56 +0100
> > Patrick McHardy <kaber@...sh.net> wrote:
> > 
> >> Stephen Hemminger wrote:
> >>> Make socket filters work for netlink unicast and notifications.
> >>> This is useful for applications like Zebra that get overrun with
> >>> messages that are then ignored.
> >>>
> >>> Note: netlink messages are in host byte order, but packet filter
> >>> state machine operations are done as network byte order.
> >>
> >> Do you have an example for a filter for this? I have a similar
> >> patch that adds a new filter instruction for parsing netlink
> >> attributes, which seemed necessary for getting at nested
> >> attributes without too much trouble.
> >>
> >> Attached for reference together with a libnl testing
> >> patch for ctnetlink.
> >>
> > 
> > Here is the example program:
> >    it uses netlink IPC and has one thread send route notifications
> >    and the other filters.
> > 
> >    to test the mulitcast path used a hacked version of ip_monitor from iproute
> > 
> >    see attachment for the quagga patch.
> 
> 
> Thanks. It seems it parses only top-level attributes, which
> is probably why you didn't need the nlattr_find command I
> used in my patch. The problem with this is that finding and
> parsing nested attributes using the existing BPF commands is
> complicated since you need to fully parse netlink headers
> and walk through them. You can't even reuse that part for
> multiple nested attributes since you can't jump backwards.
> So I think it would be preferrable to have a simpler method
> for this.

Agreed, it isn't a general solution but it is useful as is
to filter out the cruft. 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ