On Fri, 17 Jul 2009 18:50:52 +0200
Stefan Hellkvist <hellkvist@xxxxxxxxx> wrote:
> Hi,
>
> Could anyone help me understand the execution context under which
> netfilter hooks are being executed? I played around with some code in
> order to learn things and noticed that the code executed differently
> in a netfilter hook than in, for instance, the init method of a module
> and I fail to understand why that is (possibly due to lack of
> understanding of the kernel in general).
>
> I can give a very simplified example. Take the following rediculous
> code which reads a few bytes from a file in the file system (yes, a
> very unlikely example I know, but the question about writing or
> reading files from kernel space is not in my interest right now):
>
> static void
> readshadow() {
> struct file *fp;
> char buf[1024];
>
> fp = filp_open("/etc/shadow", O_RDONLY, 0);
> if (fp != NULL) {
> int retval = kernel_read(fp, 0, buf, 20);
> if (retval != 20) {
> printk("disaster!\n");
> }
> buf[20] = '\0';
> printk("first 20 chars: \"%s\"\n", buf);
> filp_close(fp, 0);
> }
> }
One of the repeating mantra's of kernel development is:
"Don't do file i/o in kernel code."
Your code is wrong not just because kernel i/o can sleep,
but also because there really is not just one namespace,
so what is /etc/shadow!
The right way to do something like this is to read/parse
the file in a utility and pass the necessary data into the
kernel module through other mechanisms (/proc,netlink, debugfs, ...)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
