| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4991863F.3030800@trash.net> Date: Tue, 10 Feb 2009 14:50:55 +0100 From: Patrick McHardy <kaber@...sh.net> To: Pablo Neira Ayuso <pablo@...filter.org> CC: David Miller <davem@...emloft.net>, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org Subject: Re: [RFC] netlink broadcast return value Pablo Neira Ayuso wrote: > Patrick McHardy wrote: >> Pablo Neira Ayuso wrote: > >> But unless I'm missing something, there's nothing wrong with this >> as long as the error is ignored. The fact that something was received >> by some listener doesn't have any meaning anyways, it might have >> been "ip monitor". Which somehow raises doubt about your proposed >> interface change though, I think anything that wants a reliable >> answer whether a packet was delivered to a process handling it >> appropriately should use unicast. > > Don't get me wrong, I agree with you that all netlink_broadcast callers > in the kernel should ignore the return value... > > ... unless they have "some way" (like in Netfilter) to make event > delivery reliable: I have attached a patch that I didn't send you yet, > I'm still reviewing and testing it. It adds an entry to /proc to enable > reliable event delivery over netlink by dropping packets whose events > were not delivered, you mentioned that possibility once during one of > our conversations ;). I know, but in the mean time I think its wrong :) The delivery isn't reliable and what the admin is effectively expressing by setting your sysctl is "I don't have any listeners besides the synchronization daemon running". So it might as well use unicast. > I'm aware of that this option may be dangerous if used by a buggy > process that trigger frequent overflows but it the cost of having > realible logging for ctnetlink (still, this behaviour is not the one by > default!). > > And I need this option to make conntrackd synchronize state-changes > appropriately under very heavy load: I've testing the daemon with these > patches and it reliably synchronizes state-changes (my system were 100% > busy filtering traffic and fully synchronizing all TCP state-changes in > near real-time effort, with a noticeable performance drop of 30% in > terms of filtered connections). So you're dropping the packet if you can't manage to synchronize. Doesn't that defeat the entire purpose of synchronizing, which is *increasing* reliability? :) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists