lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171012111429.GG26835@breakpoint.cc>
Date:   Thu, 12 Oct 2017 13:14:29 +0200
From:   Florian Westphal <fw@...len.de>
To:     Ursula Braun <ubraun@...ux.vnet.ibm.com>
Cc:     David Miller <davem@...emloft.net>, netdev@...r.kernel.org,
        linux-s390@...r.kernel.org, jwi@...ux.vnet.ibm.com,
        schwidefsky@...ibm.com, heiko.carstens@...ibm.com,
        raspl@...ux.vnet.ibm.com, hwippel@...ux.vnet.ibm.com
Subject: Re: [PATCH net-next 1/1] net/smc: add SMC rendezvous protocol

Ursula Braun <ubraun@...ux.vnet.ibm.com> wrote:
> On 10/11/2017 11:06 PM, David Miller wrote:
> > From: Ursula Braun <ubraun@...ux.vnet.ibm.com>
> > Date: Tue, 10 Oct 2017 16:14:19 +0200
> > 
> >> The goal of this patch is to leave common TCP code unmodified. Thus,
> >> it uses netfilter hooks to intercept TCP SYN and SYN/ACK
> >> packets. For outgoing packets originating from SMC sockets, the
> >> experimental option is added. For inbound packets destined for SMC
> >> sockets, the experimental option is checked.
> > 
> > I think this really isn't going to pass.
> > 
> > It's a user experience nightmare when the kernel inserts and
> > deletes filtering rules outside of what the user configures
> > on their system.

It depends if the hook is passive or not (i.e. mangles
payload/metadata or returns verdict other than NF_ACCEPT).

OUTPUT hook added here is not passive as it mangles tcp options.

> > This approach was also considerd for ipv6 ILA, and the same
> > pushback was given.

ahem.
net/ipv6/ila/ila_xlat.c:   err = nf_register_net_hooks(net, ila_nf_hook_ops,

FWIW at least the input hook seems ok to me provided it would use
skb_header_pointer for tcp header access (there is no guarantee
tcp_hdr() works or that the tcp header has been sanity checked in any
way).

Perhaps its time to consider moving net/netfilter/core.c into net/core
and rename NF_HOOK to NET_HOOK?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ