tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NPF: fast kick

Maxime Villard <> wrote:
> Le 13/03/2018 à 20:48, Mindaugas Rasiukevicius a écrit :
> > Maxime Villard <> wrote:
> >> The change I made was exactly your first sentence: perform minimum
> >> sanity checks, to ensure the basic operation of NPF. If the basic
> >> operation cannot be assured, then fast-kick the packet.
> >>
> >> If you pass the packet to the ruleset machinery, things can go wrong,
> >> because the basic operation of the machinery cannot be assured.
> > 
> > And why not?
> Because the stateful-inspection/ruleset-machinery/JIT-code/etc use the
> values that were constructed when parsing the packet. If these values are
> wrong, correctness of the operations is not ensured.

Yes (in a typical use case), contained in npf_cache_t with information
flags on what was parsed/cached.  So, keep those flags correct -- that
is pretty much all you need to do.  And let the rules decide what to do
with the unrecognized/malformed/invalid packets.

Note that the BPF byte-code interpreter (or JIT-code) itself merely
needs a valid mbuf chain; there cannot be any overflows there.


Home | Main Index | Thread Index | Old Index