lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 21 Sep 2020 09:07:46 +0200
From:   Laura García Liébana <>
To:     Daniel Borkmann <>
Cc:     Lukas Wunner <>,
        John Fastabend <>,
        Pablo Neira Ayuso <>,
        Jozsef Kadlecsik <>,
        Florian Westphal <>,
        Netfilter Development Mailing list 
        <>,,, Alexei Starovoitov <>,
        Eric Dumazet <>,
        Thomas Graf <>, David Miller <>
Subject: Re: [PATCH nf-next v3 3/3] netfilter: Introduce egress hook

Hi Daniel,

On Fri, Sep 18, 2020 at 10:31 PM Daniel Borkmann <> wrote:
> On 9/17/20 12:28 PM, Laura García Liébana wrote:
> > On Tue, Sep 15, 2020 at 12:02 AM Daniel Borkmann <> wrote:
> >> On 9/14/20 1:29 PM, Laura García Liébana wrote:
> >>> On Fri, Sep 11, 2020 at 6:28 PM Daniel Borkmann <> wrote:
> >>>> On 9/11/20 9:42 AM, Laura García Liébana wrote:
> >>>>> On Tue, Sep 8, 2020 at 2:55 PM Daniel Borkmann <> wrote:
> >>>>>> On 9/5/20 7:24 AM, Lukas Wunner wrote:
> >>>>>>> On Fri, Sep 04, 2020 at 11:14:37PM +0200, Daniel Borkmann wrote:
> >>>>>>>> On 9/4/20 6:21 PM, Lukas Wunner wrote:
> >>>>>> [...]
> >>>>>>>> The tc queueing layer which is below is not the tc egress hook; the
> >>>>>>>> latter is for filtering/mangling/forwarding or helping the lower tc
> >>>>>>>> queueing layer to classify.
> >>>>>>>
> >>>>>>> People want to apply netfilter rules on egress, so either we need an
> >>>>>>> egress hook in the xmit path or we'd have to teach tc to filter and
> >>>>>>> mangle based on netfilter rules.  The former seemed more straight-forward
> >>>>>>> to me but I'm happy to pursue other directions.
> >>>>>>
> >>>>>> I would strongly prefer something where nf integrates into existing tc hook,
> >>>>>> not only due to the hook reuse which would be better, but also to allow for a
> >>>>>> more flexible interaction between tc/BPF use cases and nf, to name one
> >>>>>
> >>>>> That sounds good but I'm afraid that it would take too much back and
> >>>>> forth discussions. We'll really appreciate it if this small patch can
> >>>>> be unblocked and then rethink the refactoring of ingress/egress hooks
> >>>>> that you commented in another thread.
> >>>>
> >>>> I'm not sure whether your comment was serious or not, but nope, this needs
> >>>> to be addressed as mentioned as otherwise this use case would regress. It
> >>>
> >>> This patch doesn't break anything. The tc redirect use case that you
> >>> just commented on is the expected behavior and the same will happen
> >>> with ingress. To be consistent, in the case that someone requires both
> >>> hooks, another tc redirect would be needed in the egress path. If you
> >>> mean to bypass the nf egress if tc redirect in ingress is used, that
> >>> would lead in a huge security concern.
> >>
> >> I'm not sure I parse what you're saying above ... today it is possible and
> >> perfectly fine to e.g. redirect to a host-facing veth from tc ingress which
> >> then goes into container. Only traffic that goes up the host stack is seen
> >> by nf ingress hook in that case. Likewise, reply traffic can be redirected
> >> from host-facing veth to phys dev for xmit w/o any netfilter interference.
> >> This means netfilter in host ns really only sees traffic to/from host as
> >> intended. This is fine today, however, if 3rd party entities (e.g. distro
> >> side) start pushing down rules on the two nf hooks, then these use cases will
> >> break on the egress one due to this asymmetric layering violation. Hence my
> >> ask that this needs to be configurable from a control plane perspective so
> >> that both use cases can live next to each other w/o breakage. Most trivial
> >
> > Why does it should be symmetric? Fast-paths create "asymmetric
> > layering" continuously, see: packet hit XDP to user space bypassing
> > ingress, but in the response will hit egress. So the "breakage" is
> > already there.
> Not quite sure what you mean exactly here or into which issue you ran. Either

I don't really know, we were discussing about your issue :)

> you push the xdp buffer back out from XDP layer for load balancer case so upper
> stack never sees it, or you push it to upper stack, and it goes through the
> ingress/egress hooks e.g. from tc side. AF_XDP will bypass either. If you mean
> the redirect from XDP layer to the veth devs where they have XDP support, then
> the reply path also needs to operate /below/ netfilter on tc layer exactly for
> the reason /not/ to break, as otherwise we get potentially hard to debug skb
> drops on netfilter side when CT is involved and it figures it must drop due to

So, the "breakage" is about because it is difficult to debug CT drops,
or maybe it creates asymmetric layering, or maybe problems with nf/tc
interoperation? Sorry, this is so confusing. I suspect that the issue
you're talking about is a consequence of having different hooks,
nothing specifically related to this patch cause these use cases
you're referring to are happening right now with XDP, tc and CT.

The advantage is that with nf you only register the hooks required, so
this won't be a problem. Also, we are having more and more mechanisms
for ingress and CT interoperation, and this will be quite easy to
extend to egress.

> invalid CT state to name one example. That is if there is an opt-in to such data
> path being used, then it also needs to continue to work, which gets me back to
> the earlier mentioned example with the interaction on the egress side with that
> hook that it needs to /interoperate/ with tc to avoid breakage of existing use
> cases in the wild. Reuse of skb flag could be one option to move forward, or as
> mentioned in earlier mails overall rework of ingress/egress side to be a more
> flexible pipeline (think of cont/ok actions as with tc filters or stackable LSMs
> to process & delegate).

Again, a flag is not needed as you can register and de-register nf
hooks on demand.


Powered by blists - more mailing lists