Re: NPF: fast kick

[Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>]

Maxime Villard <max%m00nbsd.net@localhost> wrote:
> Le 13/03/2018 à 20:48, Mindaugas Rasiukevicius a écrit :
> > Maxime Villard <max%m00nbsd.net@localhost> wrote:
> >> The change I made was exactly your first sentence: perform minimum
> >> sanity checks, to ensure the basic operation of NPF. If the basic
> >> operation cannot be assured, then fast-kick the packet.
> >>
> >> If you pass the packet to the ruleset machinery, things can go wrong,
> >> because the basic operation of the machinery cannot be assured.
> > 
> > And why not?
> 
> Because the stateful-inspection/ruleset-machinery/JIT-code/etc use the
> values that were constructed when parsing the packet. If these values are
> wrong, correctness of the operations is not ensured.

Yes (in a typical use case), contained in npf_cache_t with information
flags on what was parsed/cached.  So, keep those flags correct -- that
is pretty much all you need to do.  And let the rules decide what to do
with the unrecognized/malformed/invalid packets.

Note that the BPF byte-code interpreter (or JIT-code) itself merely
needs a valid mbuf chain; there cannot be any overflows there.

-- 
Mindaugas