From: Alexei Starovoitov <ast@xxxxxxxxxxxx> Date: Mon, 28 Jul 2014 18:12:05 -0700 > On Mon, Jul 28, 2014 at 2:45 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: >>> > struct sk_filter_cb { >>> > int type; >>> > struct module *me; >>> > void (*charge)(struct sock *sk, struct sk_filter *fp); >>> > void (*uncharge)(struct sock *sk, struct sk_filter *fp); >>> > unsigned int (*run_filter)(struct sk_filter *fp, struct sk_buff *skb); >>> > }; >>> >>> Pablo, >>> >>> I don't think you understand the scope of BPF. >>> 'struct module *'? to attach nft to sockets? ouch. >> >> The idea is that there will be one sk_filter_cb per socket filtering >> approach. The structure module is just there in case one of the >> approach is loadable as kernel module, it's the typical code pattern >> in the kernel. You can git grep for similar code. > > socket filtering is available to unprivileged users. > So you're proposing to let them increment refcnt of modules?! > That's not secure. It's impossible to avoid, and really is nothing new. Users can open sockets, and that holds a reference to the module implementing that protocol. Is that not secure too? This discussion is degenerating into nonsense, please stop ignoring Pablo's core points. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html