tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NPF: fast kick

Le 13/03/2018 à 21:23, Mindaugas Rasiukevicius a écrit :
Maxime Villard <> wrote:
Le 13/03/2018 à 20:48, Mindaugas Rasiukevicius a écrit :
Maxime Villard <> wrote:
The change I made was exactly your first sentence: perform minimum
sanity checks, to ensure the basic operation of NPF. If the basic
operation cannot be assured, then fast-kick the packet.

If you pass the packet to the ruleset machinery, things can go wrong,
because the basic operation of the machinery cannot be assured.

And why not?

Because the stateful-inspection/ruleset-machinery/JIT-code/etc use the
values that were constructed when parsing the packet. If these values are
wrong, correctness of the operations is not ensured.

Yes (in a typical use case), contained in npf_cache_t with information
flags on what was parsed/cached.  So, keep those flags correct -- that
is pretty much all you need to do.  And let the rules decide what to do
with the unrecognized/malformed/invalid packets.

Yes. And npc_hlen is contained in npf_cache_t, so it needs to be correct,
which is exactly what I ensure in my basic checks.

Note that the BPF byte-code interpreter (or JIT-code) itself merely
needs a valid mbuf chain; there cannot be any overflows there.

Yes, there are no overflows until I look at the code and find a dozen. That's
not a reason for not having basic sanity checks beforehand.

Home | Main Index | Thread Index | Old Index