| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20171103203249.GA25602@breakpoint.cc>
Date: Fri, 3 Nov 2017 21:32:49 +0100
From: Florian Westphal <fw@...len.de>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH RFC,WIP 2/5] netfilter: add software flow offload
infrastructure
Pablo Neira Ayuso <pablo@...filter.org> wrote:
> +static int __init nf_flow_offload_module_init(void)
> +{
> + struct rhashtable_params params = flow_offload_rhash_params;
> + struct nf_hook_ops flow_offload_hook = {
> + .hook = nf_flow_offload_hook,
> + .pf = NFPROTO_NETDEV,
> + .hooknum = NF_NETDEV_INGRESS,
> + .priority = -100,
Magic number. Should this be documented in nft?
Alternatively we could reject NETDEV_INGRESS base chains from
userspace if prio < 0 to prevent userspace rules from messing
with this flow offlaod infrastructure.
I guess the rationale of using auto-builtin hook is to avoid
forcing users to configure this with nftables rules?
> + rtnl_lock();
> + for_each_netdev(&init_net, dev) {
> + entry = kmalloc(sizeof(*entry), GFP_KERNEL);
> + if (!entry) {
> + rtnl_unlock();
> + return -ENOMEM;
This would need error unwinding (Unregistering the already-registered
hooks).
> + err = nf_register_net_hook(&init_net, &entry->ops);
> + if (err < 0)
> + return err;
And here as well.
Powered by blists - more mailing lists