tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: NPF: fast kick
Maxime Villard <max%m00nbsd.net@localhost> wrote:
> Le 13/03/2018 à 20:48, Mindaugas Rasiukevicius a écrit :
> > Maxime Villard <max%m00nbsd.net@localhost> wrote:
> >> The change I made was exactly your first sentence: perform minimum
> >> sanity checks, to ensure the basic operation of NPF. If the basic
> >> operation cannot be assured, then fast-kick the packet.
> >>
> >> If you pass the packet to the ruleset machinery, things can go wrong,
> >> because the basic operation of the machinery cannot be assured.
> >
> > And why not?
>
> Because the stateful-inspection/ruleset-machinery/JIT-code/etc use the
> values that were constructed when parsing the packet. If these values are
> wrong, correctness of the operations is not ensured.
Yes (in a typical use case), contained in npf_cache_t with information
flags on what was parsed/cached. So, keep those flags correct -- that
is pretty much all you need to do. And let the rules decide what to do
with the unrecognized/malformed/invalid packets.
Note that the BPF byte-code interpreter (or JIT-code) itself merely
needs a valid mbuf chain; there cannot be any overflows there.
--
Mindaugas
Home |
Main Index |
Thread Index |
Old Index