From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: "Laura García Liébana" <nevola@gmail.com>,
"Lukas Wunner" <lukas@wunner.de>,
"John Fastabend" <john.fastabend@gmail.com>,
"Jozsef Kadlecsik" <kadlec@netfilter.org>,
"Florian Westphal" <fw@strlen.de>,
"Netfilter Development Mailing list"
<netfilter-devel@vger.kernel.org>,
coreteam@netfilter.org, netdev@vger.kernel.org,
"Alexei Starovoitov" <ast@kernel.org>,
"Eric Dumazet" <edumazet@google.com>,
"Thomas Graf" <tgraf@suug.ch>,
"David Miller" <davem@davemloft.net>
Subject: Re: [PATCH nf-next v3 3/3] netfilter: Introduce egress hook
Date: Sat, 19 Sep 2020 17:52:06 +0200 [thread overview]
Message-ID: <20200919155206.GB28865@salvia> (raw)
In-Reply-To: <b0989f93-e708-4a68-1622-ab3de629be77@iogearbox.net>
Hi Daniel,
Long time no see, unfortunately this complicated situation is keeping
us away from personal reach, that's unfortunate. Now, looking into
this topic...
On Fri, Sep 18, 2020 at 10:31:09PM +0200, Daniel Borkmann wrote:
> [...] That is if there is an opt-in to such data path being used, then it also
> needs to continue to work, which gets me back to the earlier mentioned example
> with the interaction on the egress side with that hook that it needs to
> /interoperate/ with tc to avoid breakage of existing use cases in the wild.
> Reuse of skb flag could be one option to move forward, or as mentioned in
> earlier mails overall rework of ingress/egress side to be a more flexible
> pipeline (think of cont/ok actions as with tc filters or stackable LSMs to
> process & delegate).
The netfilter ingress hook was introduced many years after the tc
ingress "qdisc" (in the 4.2 kernel series), and I have absolutely no
records of one single complain from users in the netdev and netfilter
mailing lists regarding this being an issue / breaking anything. The
ingress hook needs to be *explicitly* registered by the user, so an
explicit user action to register the hook is required to register this
hook. As for this egress hook, it will be disabled by default too, since
egress chains are only registered on demand.
Assuming that preventing Netfilter to operate will *not* break things
makes no sense. It's the user that make sure that policies are
consistent across the datapath. I don't think there is any mechanism
that ensures that user policy fully makes sense.
Note that:
- The user can easily inspect if someone registered an egress hook.
- Your software can just report a warning to your user if there is an
interaction with other subsystems makes no sense, it's just a bit of
Netlink code from userspace if you don't want to wait for the user to
notice.
You mentioned there is a real issue at this moment since AF_PACKET might
bypass dev_queue_xmit(), I think we can just ask Lukas to extend his
patch to include a hook there, so you can also follow up to fix this
issue for you too.
Thank you Daniel, stay safe.
next prev parent reply other threads:[~2020-09-19 15:58 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-27 8:55 [PATCH nf-next v3 0/3] Netfilter egress hook Lukas Wunner
2020-08-27 8:55 ` [PATCH nf-next v3 1/3] netfilter: Rename ingress hook include file Lukas Wunner
2020-08-27 8:55 ` [PATCH nf-next v3 2/3] netfilter: Generalize ingress hook Lukas Wunner
2020-08-27 8:55 ` [PATCH nf-next v3 3/3] netfilter: Introduce egress hook Lukas Wunner
2020-08-28 18:52 ` John Fastabend
2020-09-03 5:00 ` John Fastabend
2020-09-04 8:54 ` Laura García Liébana
2020-09-04 15:46 ` John Fastabend
2020-09-05 11:13 ` Laura García Liébana
2020-09-04 16:21 ` Lukas Wunner
2020-09-04 21:14 ` Daniel Borkmann
2020-09-05 5:24 ` Lukas Wunner
2020-09-08 12:55 ` Daniel Borkmann
2020-09-11 7:42 ` Laura García Liébana
2020-09-11 16:27 ` Daniel Borkmann
2020-09-14 11:29 ` Laura García Liébana
2020-09-14 22:02 ` Daniel Borkmann
2020-09-17 10:28 ` Laura García Liébana
2020-09-18 20:31 ` Daniel Borkmann
2020-09-19 15:52 ` Pablo Neira Ayuso [this message]
2020-09-21 7:07 ` Laura García Liébana
2020-10-11 8:26 ` Lukas Wunner
2020-11-21 18:59 ` Pablo Neira Ayuso
2020-11-22 3:24 ` Alexei Starovoitov
2020-11-22 11:01 ` Pablo Neira Ayuso
2020-11-24 3:34 ` Alexei Starovoitov
2020-11-24 7:31 ` Lukas Wunner
2020-11-24 22:55 ` Alexei Starovoitov
2020-10-11 7:59 ` Lukas Wunner
2020-09-05 11:18 ` Laura García Liébana
2020-09-07 22:11 ` Daniel Borkmann
2020-09-08 6:19 ` Laura García Liébana
2020-09-08 11:46 ` Arturo Borrero Gonzalez
2020-09-08 13:27 ` Daniel Borkmann
2020-09-08 18:58 ` John Fastabend
2020-09-19 15:54 ` Pablo Neira Ayuso
2020-09-28 12:20 ` Lukas Wunner
2020-08-27 10:36 ` [PATCH nf-next v3 0/3] Netfilter " Laura García Liébana
2020-08-28 7:14 ` Daniel Borkmann
2020-08-28 9:14 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200919155206.GB28865@salvia \
--to=pablo@netfilter.org \
--cc=ast@kernel.org \
--cc=coreteam@netfilter.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=john.fastabend@gmail.com \
--cc=kadlec@netfilter.org \
--cc=lukas@wunner.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nevola@gmail.com \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.