Re: Xtables2 Netlink spec

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Friday 2010-12-17 10:55, Pablo Neira Ayuso wrote:

>On 16/12/10 15:05, Thomas Graf wrote:
>> On Wed, Dec 15, 2010 at 02:54:26PM +0100, Pablo Neira Ayuso wrote:
>>>> BTW, can response messages - all those leading up to NLMSG_DONE -
>>>> have different nlmsg_type, or not?
>>>
>>> They all have the same type.
>> 
>> This is not a MUST. It is perfectly legal to f.e.:
>> 
>>  -> FOO_GET (seq=1, NLM_F_REQUEST)
>>  <- FOO_DEL (seq=1, NLM_F_MULTI)
>>  <- FOO_ADD (seq=1, NLM_F_MULTI)
>>  <- NLMSG_DONE (seq=1)
>
>What realistic situation will require this?

This does:

-> NFXTM_CHAIN_DUMP<NFXTA_NAME>
<- NFXTM_RULE_START<>
<- NFXTM_EMATCH<NFXTA_NAME,NFXTA_REVISION,NFXTA_DATA>
<- NFXTM_EMATCH<NFXTA_NAME,NFXTA_REVISION,NFXTA_DATA>
<- NFXTM_ETARGET<NFXTA_NAME,NFXTA_REVISION,NFXTA_DATA>
<- NFXTM_ETARGET<NFXTA_NAME,NFXTA_REVISION,NFXTA_DATA>
<- NFXTM_RULE_END<>
<- NFXTM_RULE_START<>
<- NFXTM_ETARGET<NFXTA_VERDICT>
<- NFXTM_RULE_END<>
<- NLMSG_DONE

This is 9 messages with answers related to the ruleset.

If only a single nlmsg_type was possible for NLM_F_MULTI replies,
this is probably how things would have looked:

-> CHAIN_DUMP<NFXTA_NAME>
<- CHAIN_DUMP<NFXTA_RULE_START>
<- CHAIN_DUMP<NFXTA_MATCH_START>
<- CHAIN_DUMP<NFXTA_NAME><NFXTA_REVISION><NFXTA_DATA>
<- CHAIN_DUMP<NFXTA_MATCH_END>
<- CHAIN_DUMP<NFXTA_MATCH_START>
<- CHAIN_DUMP<NFXTA_NAME><NFXTA_REVISION><NFXTA_DATA>
<- CHAIN_DUMP<NFXTA_MATCH_END>
<- CHAIN_DUMP<NFXTA_TARGET_START>
<- CHAIN_DUMP<NFXTA_NAME><NFXTA_REVISION><NFXTA_DATA>
<- CHAIN_DUMP<NFXTA_TARGET_END>
<- CHAIN_DUMP<NFXTA_TARGET_START>
<- CHAIN_DUMP<NFXTA_NAME><NFXTA_REVISION><NFXTA_DATA>
<- CHAIN_DUMP<NFXTA_TARGET_END>
<- CHAIN_DUMP<NFXTA_RULE_END>
<- CHAIN_DUMP<NFXTA_RULE_START>
<- CHAIN_DUMP<NFXTA_TARGET_START>
<- CHAIN_DUMP<NFXTA_VERDICT>
<- CHAIN_DUMP<NFXTA_TARGET_END>
<- CHAIN_DUMP<NFXTA_RULE_END>
<- NLMSG_DONE

This requires more forth-and-back between userspace and the kernel:
19 messages instead. Using multiple nlmsg_type seems a good thing to
exploit.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux