From: Florian Westphal <fw@strlen.de>
To: Cole Dishington <Cole.Dishington@alliedtelesis.co.nz>
Cc: fw@strlen.de, Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Shuah Khan <shuah@kernel.org>,
open list <linux-kernel@vger.kernel.org>,
"open list:NETFILTER" <netfilter-devel@vger.kernel.org>,
"open list:NETFILTER" <coreteam@netfilter.org>,
"open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>
Subject: Re: [PATCH v3] netfilter: nf_conntrack: Add conntrack helper for ESP/IPsec
Date: Wed, 5 May 2021 13:10:13 +0200 [thread overview]
Message-ID: <20210505111013.GB12364@breakpoint.cc> (raw)
In-Reply-To: <20210503010646.11111-1-Cole.Dishington@alliedtelesis.co.nz>
Cole Dishington <Cole.Dishington@alliedtelesis.co.nz> wrote:
> +/* esp hdr info to tuple */
> +bool esp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
> + struct net *net, struct nf_conntrack_tuple *tuple)
> +{
[..]
> + tuple->dst.u.esp.id = esp_entry->esp_id;
> + tuple->src.u.esp.id = esp_entry->esp_id;
> + return true;
> +}
Did not consider this before, and doesn't matter if we'd follow this
approach or expectation-based solution:
Do we need to be mindful about hole-punching?
The above will automatically treat the incoming (never-seen-before)
ESP packet as being part of the outgoing one, i.e. this will match
ESTABLISHED rule, not NEW.
With expectation based approach, this will auto-match a RELATED rule.
With normal expectations as used by helpers (ftp, sip and so on),
we nowadays don't do such auto-accept schemes anymore but instead
require explicit configuation, e.g. something like
iptables -t raw -p tcp -A PREROUTING -s $allowed -d $ftpserver -j CT --helper "ftp"
... to make it explicit that the kernel may automatically permit
incoming connection requests to $allowed from $ftpserver.
Do we need to worry about this for ESP too?
If the expectation-based route is taken, another patch could be piled on
top that adds a fake ESP helper, whose only function is to let
esp_pkt_to_tuple() check if the 'outgoing/seen-before' ESP connection
has been configured with the "esp" helper, and then allow the expectation
(or, not allow it in case the existing esp ct doesn't have the esp helper).
next prev parent reply other threads:[~2021-05-05 11:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-14 3:53 [PATCH] netfilter: nf_conntrack: Add conntrack helper for ESP/IPsec Cole Dishington
2021-04-14 15:40 ` Florian Westphal
2021-04-20 22:35 ` Cole Dishington
2021-04-26 11:54 ` Florian Westphal
2021-04-26 12:37 ` Florian Westphal
2021-05-03 1:06 ` [PATCH v3] " Cole Dishington
2021-05-04 19:22 ` Florian Westphal
2021-05-05 11:10 ` Florian Westphal [this message]
2021-05-05 12:16 ` [PATCH] " Jan Engelhardt
2021-05-06 2:59 ` Cole Dishington
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210505111013.GB12364@breakpoint.cc \
--to=fw@strlen.de \
--cc=Cole.Dishington@alliedtelesis.co.nz \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).