| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 15 Jun 2019 05:23:32 +0200
From: Stefano Brivio <sbrivio@...hat.com>
To: David Ahern <dsahern@...il.com>
Cc: David Miller <davem@...emloft.net>,
Martin KaFai Lau <kafai@...com>,
Jianlin Shi <jishi@...hat.com>, Wei Wang <weiwan@...gle.com>,
Eric Dumazet <edumazet@...gle.com>,
Matti Vaittinen <matti.vaittinen@...rohmeurope.com>,
netdev@...r.kernel.org
Subject: Re: [PATCH net v4 2/8] ipv4: Honour NLM_F_MATCH, make semantics of
NETLINK_GET_STRICT_CHK consistent
On Fri, 14 Jun 2019 21:13:38 -0600
David Ahern <dsahern@...il.com> wrote:
> On 6/14/19 7:32 PM, Stefano Brivio wrote:
> > Socket option NETLINK_GET_STRICT_CHK, quoting from commit 89d35528d17d
> > ("netlink: Add new socket option to enable strict checking on dumps"),
> > is used to "request strict checking of headers and attributes on dump
> > requests".
> >
> > If some attributes are set (including flags), setting this option causes
> > dump functions to filter results according to these attributes, via the
> > filter_set flag. However, if strict checking is requested, this should
> > imply that we also filter results based on flags that are *not* set.
>
> I don't agree with that comment. If a request does not specify a bit or
> specify an attribute on the request, it is a wildcard in the sense of
> nothing to be considered when matching records to be returned.
This is what I had in v1. Then:
On Thu, 6 Jun 2019 16:47:00 -0600
David Ahern <dsahern@...il.com> wrote:
> That's the use case I was targeting:
> 1. fib dumps - RTM_F_CLONED not set
> 2. exception dump - RTM_F_CLONED set
On Mon, 10 Jun 2019 15:38:06 -0600
David Ahern <dsahern@...il.com> wrote:
> By that I mean without the CLONED flag, no exceptions are returned
> (default FIB dump). With the CLONED flag only exceptions are returned.
and this looks to me like a sensible way (if strict checking is
requested, or if NLM_F_MATCH is passed) to filter the results.
> > This is currently not the case, at least for IPv4 FIB dumps: if the
> > RTM_F_CLONED flag is not set, and strict checking is required, we should
> > not return routes with the RTM_F_CLONED flag set.
>
> IPv4 currently ignores the CLONED flag and just returns - regardless of
> whether strict checking is enabled. This is the original short cut added
> many years ago.
Sure, and I'm removing that, because there's no way to fetch cached
routes otherwise.
> > Set the filter_set flag whenever strict checking is requested, limiting
> > the scope to IPv4 FIB dumps for the moment being, as other users of the
> > flag might not present this inconsistency.
> >
> > Note that this partially duplicates the semantics of NLM_F_MATCH as
> > described by RFC 3549, par. 3.1.1. Instead of setting a filter based on
> > the size of the netlink message, properly support NLM_F_MATCH, by
> > setting a filter via ip_filter_fib_dump_req() and setting the filter_set
> > flag.
> >
>
> your commit description is very confusing given the end goal. can you
> explain again?
1. we need a way to filter on cached routes
2. RTM_F_CLONED, by itself, doesn't specify a filter
3. how do we turn that into a filter? NLM_F_MATCH, says RFC 3549
4. but if strict checking is requested, you also turn some attributes
and flags into filters -- so let's make that apply to RTM_F_CLONED
too, I don't see any reason why that should be special
--
Stefano
Powered by blists - more mailing lists