Re: NPF: fast kick

[Maxime Villard <max%m00nbsd.net@localhost>]

Le 13/03/2018 à 21:23, Mindaugas Rasiukevicius a écrit :
> Maxime Villard <max%m00nbsd.net@localhost> wrote:
> > Le 13/03/2018 à 20:48, Mindaugas Rasiukevicius a écrit :
> > > Maxime Villard <max%m00nbsd.net@localhost> wrote:
> > > > The change I made was exactly your first sentence: perform minimum
> > > > sanity checks, to ensure the basic operation of NPF. If the basic
> > > > operation cannot be assured, then fast-kick the packet.
> > > >
> > > > If you pass the packet to the ruleset machinery, things can go wrong,
> > > > because the basic operation of the machinery cannot be assured.
> > >
> > > And why not?
> >
> > Because the stateful-inspection/ruleset-machinery/JIT-code/etc use the
> > values that were constructed when parsing the packet. If these values are
> > wrong, correctness of the operations is not ensured.
>
> Yes (in a typical use case), contained in npf_cache_t with information
> flags on what was parsed/cached.  So, keep those flags correct -- that
> is pretty much all you need to do.  And let the rules decide what to do
> with the unrecognized/malformed/invalid packets.

Yes. And npc_hlen is contained in npf_cache_t, so it needs to be correct,
which is exactly what I ensure in my basic checks.

> Note that the BPF byte-code interpreter (or JIT-code) itself merely
> needs a valid mbuf chain; there cannot be any overflows there.

Yes, there are no overflows until I look at the code and find a dozen. That's
not a reason for not having basic sanity checks beforehand.