lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20100430193916.GZ19334@cel.leo>
Date:	Fri, 30 Apr 2010 20:39:17 +0100
From:	Paul LeoNerd Evans <leonerd@...nerd.org.uk>
To:	netdev@...r.kernel.org
Subject: [RFC] BPF program access to transport header

Via the SKF_NET_OFF extension area, a BPF program has nice easy access
to the network header, wherever it might happen to be in the packet.
This makes it simpler to write filters on e.g. IPv4 headers, knowing
that fields will always be at simple offsets relative to SKF_NET_OFF.
Using the data at WORD[SKF_AD_PROTO] it's easy also to find out what
network protocol this is.

I would like to provide similar for the transport header. Without doing
so, it is very hard to parse e.g. UDP or TCP headers that may be
contained within IPv6 protocol, because of the linked-list way IPv6
headers chain on to each other. BPF doesn't provide a while() loop or
any kind of backward jump, meaning the filter program has to be
loop-unrolled a static number of times. This quickly leads to very large
programs.

I forsee a number of issues with trying to provide this:

 * How to provide the protocol number (e.g. 6 for TCP, 1 for ICMP) to
   the BPF program

 * How to obtain the transport offset - AIUI, the skf_transport_offset()
   won't actually be set yet by the time the filter program runs.

 * What to do if the underlying protocol doesn't support a transport
   layer above it - e.g. ARP.

Ideally, this would make it easy to filter, say, TCP destination port
80, by doing the following:

  LD WORD[SKF_AD_PROTO]
  JEQ ETHERTYPE_IPV4, 1, fail
  JEQ ETHERTYPE_IPv6, 0, fail

  LD WORD[SKF_AD_TRANSPROTO]
  JEQ IPPROTO_TCP, 0, fail

  LD WORD[SKF_TRANS_OFF+0]
  JEQ 80, 0, fail

  LD len
  RET A

fail:
  RET 0

In this short simple BPF program we've avoided all the issues involved
with trying to parse IPv6 headers.

Can we make this work?

-- 
Paul "LeoNerd" Evans

leonerd@...nerd.org.uk
ICQ# 4135350       |  Registered Linux# 179460
http://www.leonerd.org.uk/

Download attachment "signature.asc" of type "application/pgp-signature" (191 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ