lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 23 Apr 2020 18:05:42 +0200
From:   Lukas Wunner <lukas@...ner.de>
To:     Laura Garcia <nevola@...il.com>
Cc:     Pablo Neira Ayuso <pablo@...filter.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Jozsef Kadlecsik <kadlec@...filter.org>,
        Florian Westphal <fw@...len.de>,
        Netfilter Development Mailing list 
        <netfilter-devel@...r.kernel.org>, coreteam@...filter.org,
        netdev@...r.kernel.org, Martin Mares <mj@....cz>,
        Dmitry Safonov <0x7f454c46@...il.com>,
        Thomas Graf <tgraf@...g.ch>,
        Alexei Starovoitov <ast@...nel.org>,
        David Miller <davem@...emloft.net>
Subject: Re: [PATCH nf-next 3/3] netfilter: Introduce egress hook

On Thu, Apr 23, 2020 at 04:44:44PM +0200, Laura Garcia wrote:
> On Sun, Mar 15, 2020 at 2:29 PM Pablo Neira Ayuso <pablo@...filter.org> wrote:
> > On Sat, Mar 14, 2020 at 01:12:02AM +0100, Daniel Borkmann wrote:
> > > On 3/13/20 3:55 PM, Pablo Neira Ayuso wrote:
> > > > We have plans to support for NAT64 and NAT46, this is the right spot
> > > > to do this mangling. There is already support for the tunneling
> > >
> > > But why is existing local-out or post-routing hook _not_ sufficient for
> > > NAT64 given it being IP based?
> >
> > Those hooks are not coming at the end of the IP processing. There is
> > very relevant IP code after those hooks that cannot be bypassed such
> > as fragmentation, tunneling and neighbour output. Such transformation
> > needs to happen after the IP processing, exactly from where Lukas is
> > proposing.
> >
> > [...]
> > > > infrastructure in netfilter from ingress, this spot from egress will
> > > > allow us to perform the tunneling from here. There is also no way to
> > > > drop traffic generated by dhclient, this also allow for filtering such
> > > > locally generated traffic. And many more.
> 
> Any chance to continue with this approach? I'm afraid outbound
> af_packets also could not be filtered without this hook.

Thanks Laura, good to hear there's interest in the functionality.

Daniel submitted a revert of this series but didn't cc me:

https://lore.kernel.org/netdev/bbdee6355234e730ef686f9321bd072bcf4bb232.1584523237.git.daniel@iogearbox.net/

In the ensuing discussion it turned out that the performance argument
may be addressed by a rearrangement of sch_handle_egress() and
nf_egress() invocations.  I could look into amending the series
accordingly and resubmitting, though I'm currently swamped with
other work.

The question is whether that's going to be sufficient because Daniel
mentioned having an in-tree user as a prerequisite for accepting this
feature, to which Pablo responded with NAT64/NAT46.  I don't have
intentions of implementing those, but maybe someone else has.

Thanks,

Lukas

Powered by blists - more mailing lists