lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150430102841.GA3373@salvia>
Date:	Thu, 30 Apr 2015 12:28:41 +0200
From:	Pablo Neira Ayuso <pablo@...filter.org>
To:	Daniel Borkmann <daniel@...earbox.net>
Cc:	Alexei Starovoitov <alexei.starovoitov@...il.com>,
	Patrick McHardy <kaber@...sh.net>,
	Jamal Hadi Salim <jhs@...atatu.com>,
	netfilter-devel@...r.kernel.org, davem@...emloft.net,
	netdev@...r.kernel.org
Subject: Re: [PATCH 6/6] net: move qdisc ingress filtering on top of
 netfilter ingress hooks

On Thu, Apr 30, 2015 at 11:24:57AM +0200, Daniel Borkmann wrote:
> On 04/30/2015 08:02 AM, Alexei Starovoitov wrote:
> ...
> >My point is that I agree that cleanup of ingress qdisc is needed.
> >I disagree with drastic measures.
> >Just add your nf_hook to ingress and let's see how things evolve.
> >We have rx_handler and all of ptype hooks in there. One can argue
> >that rx_handler overlaps with nf_hook too ? ;)
> >We cannot generalize them all under one 'hook' infra.
> >nf needs to do nf_hook_state_init() and pass it around which
> >no one else needs. That's the cost others should not pay.
> 
> +1

Actually, the state object can be useful to resolve the major bug in
actions that mangle skbs in an illegal way, as we can use it to pass
back to the ingress path the new skb_shared_check()'ed skb.

The genericity that they state object introduces comes with a cost, no
doubt, but it helps to extend things later on and resolve tricky
situation like the one above without large patches to propagate new
state information that you need all over the code.

Regarding the performance argument that is repeating over and over
again, we all here are quite aware here that there's is a *good room
for improvement* in qdisc ingress itself...
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ