Received: by 10.192.165.148 with SMTP id m20csp3229903imm; Mon, 7 May 2018 08:46:04 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpzy4x2NaG8hIlBmGVO53jzCkwvegAIn4W9zgztAjwdZ+OJw87IFODFZsXoWRqHgFc7czzk X-Received: by 2002:a6b:82a0:: with SMTP id m32-v6mr41876436ioi.56.1525707964459; Mon, 07 May 2018 08:46:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525707964; cv=none; d=google.com; s=arc-20160816; b=wDl+/eaLznF2WFcIF8TA2+bTW3+xn+weElcb1MdQJROh7fQTFsc5AchIF2scDbu0Hp 0l01BP8zE010gq+EM8ptx0OQDanBJSkAcaX2uSoeUgP1KX0Sisv3ecne0cZioFHakjH2 iFloXl73wjdfWW5s0dWNoCNP9Z8EqLlMTsknnddgkwm71TgcIHxbxaFcsUaxY0H3dFPC Cz0OzJwbUwnRjUVDhfONRZjCTzZNo57iXzCs60BxWfzzHBPCbdrBVV07BDrxqNrlXyFH nOkvcTmzS0PGJlsDdqf3V0rqzOCiw+kmgiNslKzr3Pyq4TOsehAOQl0CYAUeYs4X3ucs ctpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=SrJsQ8cvq+cpu0uokBWGh31+I7hZ6ouTaxZJnGMqnHQ=; b=b14I30z09C0gg581nzByxV3u8vJGotJUbMd6Mxp79xSxNxqtz6yVH14efSLeSEcD7c HTU5qQEAgNsZmNa+8xdT/VPJIwe5jBGpCWj9FOZqp2XNfFo7IuN13vD0okSsJ70Az4Zd z5v/TxrWM8aQHxMAZyWUyBirfGbeO/+UpAMvffkovxuNnxbNM74/NDNbBlBof8C/6Koi 7Ed9fpSF+DCaWI8c3M35wuTGvJJpN7HxHfkjYQqRYqa6BytMUohFFLj+ts2YOTEZtC4q NVfFU3u1wbMsDDTsMlLkdBJD8xlk0xukFsj4kkMZFbHXWT8GpwmcB0OLmmIGlGK1TKQf 6aCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i143-v6si7322834iti.121.2018.05.07.08.45.51; Mon, 07 May 2018 08:46:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752668AbeEGPpd (ORCPT + 99 others); Mon, 7 May 2018 11:45:33 -0400 Received: from ganesha.gnumonks.org ([213.95.27.120]:52655 "EHLO ganesha.gnumonks.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752498AbeEGPpb (ORCPT ); Mon, 7 May 2018 11:45:31 -0400 X-Greylist: delayed 921 seconds by postgrey-1.27 at vger.kernel.org; Mon, 07 May 2018 11:45:31 EDT Received: from uucp by ganesha.gnumonks.org with local-bsmtp (Exim 4.84_2) (envelope-from ) id 1fFi5U-0007ln-EV; Mon, 07 May 2018 17:30:04 +0200 Received: from laforge by localhost.localdomain with local (Exim 4.91) (envelope-from ) id 1fFi0B-0007UM-89; Mon, 07 May 2018 17:24:35 +0200 Date: Mon, 7 May 2018 17:24:35 +0200 From: Harald Welte To: Alexei Starovoitov Cc: davem@davemloft.net, daniel@iogearbox.net, torvalds@linux-foundation.org, gregkh@linuxfoundation.org, luto@amacapital.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@fb.com Subject: Re: [PATCH v2 net-next 2/4] net: add skeleton of bpfilter kernel module Message-ID: <20180507152435.GE19042@nataraja> References: <20180503043604.1604587-1-ast@kernel.org> <20180503043604.1604587-3-ast@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180503043604.1604587-3-ast@kernel.org> User-Agent: Mutt/1.9.5 (2018-04-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Alexei + netdev list, On Wed, May 02, 2018 at 09:36:02PM -0700, Alexei Starovoitov wrote: > Later bpfilter_process_sockopt() will be called from bpfilter hooks > in get/setsockopt() to pass iptable commands into umh via bpfilter.ko This is a part I'm quite heavily opposed to - at least at this point. Unless bpfilter offered something that is semantically compatible to what netfilter/iptables is currently implementing, I don't think bpfilter should be [allowed to] overriding the iptables {get,set}sockopt() calls. I appreciate that people are working on a different architecture packet filter than what we used to. I also understand that there is a need for backwards compatibility. I still think it's wrong to offer that compatibility on the {set,get}sockopt level, rather than on the "iptables command line utility replacement" level. But nevermind, you guys have a different opinion on that, on which we can agree to disagree. However, no matter what you do, the most important part from the user point of view is to make sure you don't break semantics. netfilter/iptables semantics have an intricate notion abut when which chain of which table is executed, in which order, at what particular point of the packet traversal during the network stack. The packet filtering rulesets that people have created over more than 18 years are based on those semantics. If you offer the same interface, but not that very same semantics, the packet filtering policies can an will break - and they will break so in a hidden way. To the user, it appears as if the ruleset is loaded with the assumed semantics, but in reality it isn't. Unless you can replicate those semantics 1:1, I think it is not only wrong to override the iptables sockopt interface, but it's outright dangerous. Having less matches/targets implemented than original iptables is something that I believe is acceptable (and inevitable, at least in the beginning). If somebody tries to load a related ruleset with bpfilter active, it will fail gracefully and the user can chose to not use that match/target in his ruleset, or to not use bpfilter. But if the ruleset loads but behaves different than before (because e.g. it's executed from a completely different place in the stack), that's IMHO an absolute no-go that must be avoided at all cost. If that's the case, you are actively breaking network security, rather than creating it. So I think there's only two ways to go: a) replicate the exact semantics/order of the filter/mangle/raw/... tables and their chains, both among themselves as well as in terms of ordering with other parts of the network stack, or b) not use the existing tables/chains with their pre-defined semantics but rather start new 'tables' which can then have different semantics as defined at the time of their implementation. My apologies if I misunderstood something about bpfilter. Feel free to correct me where I'm wrong. Thanks. Regards, Harald -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)