| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150302143647.GC7418@breakpoint.cc> Date: Mon, 2 Mar 2015 15:36:47 +0100 From: Florian Westphal <fw@...len.de> To: Eyal Birger <eyal.birger@...il.com> Cc: Florian Westphal <fw@...len.de>, David Miller <davem@...emloft.net>, Willem de Bruijn <willemb@...gle.com>, Eric Dumazet <edumazet@...gle.com>, Shmulik Ladkani <shmulik.ladkani@...il.com>, "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: Re: [PATCH net-next v4 0/2] net: Introducing socket mark receive socket option Eyal Birger <eyal.birger@...il.com> wrote: > On Mon, Mar 2, 2015 at 3:29 PM, Florian Westphal <fw@...len.de> wrote: > > Eyal Birger <eyal.birger@...il.com> wrote: > >> This patch set introduces a new socket option for fetching the mark > >> of skbs passed to sockets as ancillary data. > >> > >> A userspace program may wish to receive the mark of packets it > >> receives, for example for distinguishing between different TPROXY > >> diversion rules to the same userspace proxy socket. > > > > Hmm... Whats the use case? > > Even if you cannot use multiple sockets for every divert rule, > > TPROXY doesn't mangle payload; applications could use sockaddrs > > returned by accept, getpeername, getsockname etc. to figure out > > which original port/address the packet was sent to? > > Right. But that would mean the criteria for traffic diversion would need to > be known to the application receiving the traffic. For your solution to work the application needs to know about the TPROXY rule set and how that is structured, no? I don't see how that is 'better' than e.g. looking at dst port number. > Also, the feature has use-cases outside of TPROXY as the skb->mark may be set > by other mechanisms (including SO_MARK from user space). Right, but to me it seems very hacky to use SO_MARK as some kind of OOB signal. It won't work depending on loaded ruleset, it won't work with non-localhost traffic and it won't work when other application runs in another network namespace. Seems such facility would be limited to some pre-configured distribution where users don't run own software and make no changes to the default system setup. > For example, a user space daemon can receive traffic from multiple > applications using a single socket and distinguish between different traffic groups > according to the packet mark. Right, but it might as well use SO_PEERCRED to identify the other pid, right? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists