Received: by 10.192.165.148 with SMTP id m20csp3229903imm;
        Mon, 7 May 2018 08:46:04 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpzy4x2NaG8hIlBmGVO53jzCkwvegAIn4W9zgztAjwdZ+OJw87IFODFZsXoWRqHgFc7czzk
X-Received: by 2002:a6b:82a0:: with SMTP id m32-v6mr41876436ioi.56.1525707964459;
        Mon, 07 May 2018 08:46:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525707964; cv=none;
        d=google.com; s=arc-20160816;
        b=wDl+/eaLznF2WFcIF8TA2+bTW3+xn+weElcb1MdQJROh7fQTFsc5AchIF2scDbu0Hp
         0l01BP8zE010gq+EM8ptx0OQDanBJSkAcaX2uSoeUgP1KX0Sisv3ecne0cZioFHakjH2
         iFloXl73wjdfWW5s0dWNoCNP9Z8EqLlMTsknnddgkwm71TgcIHxbxaFcsUaxY0H3dFPC
         Cz0OzJwbUwnRjUVDhfONRZjCTzZNo57iXzCs60BxWfzzHBPCbdrBVV07BDrxqNrlXyFH
         nOkvcTmzS0PGJlsDdqf3V0rqzOCiw+kmgiNslKzr3Pyq4TOsehAOQl0CYAUeYs4X3ucs
         ctpg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=SrJsQ8cvq+cpu0uokBWGh31+I7hZ6ouTaxZJnGMqnHQ=;
        b=b14I30z09C0gg581nzByxV3u8vJGotJUbMd6Mxp79xSxNxqtz6yVH14efSLeSEcD7c
         HTU5qQEAgNsZmNa+8xdT/VPJIwe5jBGpCWj9FOZqp2XNfFo7IuN13vD0okSsJ70Az4Zd
         z5v/TxrWM8aQHxMAZyWUyBirfGbeO/+UpAMvffkovxuNnxbNM74/NDNbBlBof8C/6Koi
         7Ed9fpSF+DCaWI8c3M35wuTGvJJpN7HxHfkjYQqRYqa6BytMUohFFLj+ts2YOTEZtC4q
         NVfFU3u1wbMsDDTsMlLkdBJD8xlk0xukFsj4kkMZFbHXWT8GpwmcB0OLmmIGlGK1TKQf
         6aCw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i143-v6si7322834iti.121.2018.05.07.08.45.51;
        Mon, 07 May 2018 08:46:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752668AbeEGPpd (ORCPT <rfc822;zjuysxie86@gmail.com>
        + 99 others); Mon, 7 May 2018 11:45:33 -0400
Received: from ganesha.gnumonks.org ([213.95.27.120]:52655 "EHLO
        ganesha.gnumonks.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752498AbeEGPpb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 May 2018 11:45:31 -0400
X-Greylist: delayed 921 seconds by postgrey-1.27 at vger.kernel.org; Mon, 07 May 2018 11:45:31 EDT
Received: from uucp by ganesha.gnumonks.org with local-bsmtp (Exim 4.84_2)
        (envelope-from <laforge@gnumonks.org>)
        id 1fFi5U-0007ln-EV; Mon, 07 May 2018 17:30:04 +0200
Received: from laforge by localhost.localdomain with local (Exim 4.91)
        (envelope-from <laforge@gnumonks.org>)
        id 1fFi0B-0007UM-89; Mon, 07 May 2018 17:24:35 +0200
Date:   Mon, 7 May 2018 17:24:35 +0200
From:   Harald Welte <laforge@gnumonks.org>
To:     Alexei Starovoitov <ast@kernel.org>
Cc:     davem@davemloft.net, daniel@iogearbox.net,
        torvalds@linux-foundation.org, gregkh@linuxfoundation.org,
        luto@amacapital.net, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, kernel-team@fb.com
Subject: Re: [PATCH v2 net-next 2/4] net: add skeleton of bpfilter kernel
 module
Message-ID: <20180507152435.GE19042@nataraja>
References: <20180503043604.1604587-1-ast@kernel.org>
 <20180503043604.1604587-3-ast@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180503043604.1604587-3-ast@kernel.org>
User-Agent: Mutt/1.9.5 (2018-04-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Alexei + netdev list,

On Wed, May 02, 2018 at 09:36:02PM -0700, Alexei Starovoitov wrote:
> Later bpfilter_process_sockopt() will be called from bpfilter hooks
> in get/setsockopt() to pass iptable commands into umh via bpfilter.ko

This is a part I'm quite heavily opposed to - at least at this point.
Unless bpfilter offered something that is semantically compatible to
what netfilter/iptables is currently implementing, I don't think
bpfilter should be [allowed to] overriding the iptables
{get,set}sockopt() calls.

I appreciate that people are working on a different architecture packet
filter than what we used to.   I also understand that there is a need
for backwards compatibility.  I still think it's wrong to offer that
compatibility on the {set,get}sockopt level, rather than on the
"iptables command line utility replacement" level.  But nevermind, you
guys have a different opinion on that, on which we can agree to
disagree.

However, no matter what you do, the most important part from the user
point of view is to make sure you don't break semantics.

netfilter/iptables semantics have an intricate notion abut when which
chain of which table is executed, in which order, at what particular
point of the packet traversal during the network stack.  The packet
filtering rulesets that people have created over more than 18 years
are based on those semantics.  If you offer the same interface, but not
that very same semantics, the packet filtering policies can an will
break - and they will break so in a hidden way.  To the user, it appears
as if the ruleset is loaded with the assumed semantics, but in reality
it isn't.

Unless you can replicate those semantics 1:1, I think it is not only
wrong to override the iptables sockopt interface, but it's outright
dangerous.

Having less matches/targets implemented than original iptables is
something that I believe is acceptable (and inevitable, at least in the
beginning).  If somebody tries to load a related ruleset with bpfilter
active, it will fail gracefully and the user can chose to not use that
match/target in his ruleset, or to not use bpfilter.

But if the ruleset loads but behaves different than before (because e.g.
it's executed from a completely different place in the stack), that's
IMHO an absolute no-go that must be avoided at all cost.  If that's the
case, you are actively breaking network security, rather than creating
it.

So I think there's only two ways to go:

a) replicate the exact semantics/order of the filter/mangle/raw/...
   tables and their chains, both among themselves as well as in terms of
   ordering with other parts of the network stack, or

b) not use the existing tables/chains with their pre-defined semantics
   but rather start new 'tables' which can then have different semantics
   as defined at the time of their implementation.

My apologies if I misunderstood something about bpfilter.  Feel free to
correct me where I'm wrong.  Thanks.

Regards,
	Harald
-- 
- Harald Welte <laforge@gnumonks.org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)