lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20150302.150556.807426896557970379.davem@davemloft.net>
Date:	Mon, 02 Mar 2015 15:05:56 -0500 (EST)
From:	David Miller <davem@...emloft.net>
To:	fw@...len.de
Cc:	eyal.birger@...il.com, willemb@...gle.com, edumazet@...gle.com,
	shmulik.ladkani@...il.com, netdev@...r.kernel.org
Subject: Re: [PATCH net-next v4 0/2] net: Introducing socket mark receive
 socket option

From: Florian Westphal <fw@...len.de>
Date: Mon, 2 Mar 2015 15:36:47 +0100

> Eyal Birger <eyal.birger@...il.com> wrote:
>> On Mon, Mar 2, 2015 at 3:29 PM, Florian Westphal <fw@...len.de> wrote:
>> > Eyal Birger <eyal.birger@...il.com> wrote:
>> >> This patch set introduces a new socket option for fetching the mark
>> >> of skbs passed to sockets as ancillary data.
>> >>
>> >> A userspace program may wish to receive the mark of packets it
>> >> receives, for example for distinguishing between different TPROXY
>> >> diversion rules to the same userspace proxy socket.
>> >
>> > Hmm... Whats the use case?
>> > Even if you cannot use multiple sockets for every divert rule,
>> > TPROXY doesn't mangle payload; applications could use sockaddrs
>> > returned by accept, getpeername, getsockname etc.  to figure out
>> > which original port/address the packet was sent to?
>> 
>> Right. But that would mean the criteria for traffic diversion would need to
>> be known to the application receiving the traffic.
> 
> For your solution to work the application needs to know about the TPROXY
> rule set and how that is structured, no?
> 
> I don't see how that is 'better' than e.g. looking at dst port number.
 ...
>> For example, a user space daemon can receive traffic from multiple
>> applications using a single socket and distinguish between different traffic groups
>> according to the packet mark.
> 
> Right, but it might as well use SO_PEERCRED to identify the other pid, right?

Also, this points out that this socket option if accepted probably needs to
be privileged.

I can see administrators not being happy with applications being able to see
the marks used by their rulesets.

I'm backing out this series, Florian makes a lot of good points.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ