Message ID | 1255869758.4815.40.camel@dogo.mojatatu.com |
---|---|
State | RFC, archived |
Delegated to: | David Miller |
Headers | show |
jamal a écrit : > Maciej forced me to dig into this ;-> > > at the socket level if a packet arrives with a different mark than > what we bind to, drop it. I have tested this patch and it drops a packet > with mismatching mark. > > There are several approaches - and i think the patch suggestion i have > made here maybe too strict. I assume that if someone binds to a mark, > they want to not only send packets with that mark but receive > only if that mark is set. > A looser check would be something along the line accept as well if mark > is not set i.e > if (sk->sk_mark && skb->mark && sk->sk_mark != skb->mark) > > Alternatively i could add one bit in the socket flags and have it so > that check is made only if app has been explicit: > if (sock_flag(sk, SOCK_CHK_SOMARK) && sk->sk_mark != skb->mark) drop > > Another approach is to set sock filter from app. I dont like this > approach because it will be the least usable from app level and would be > the least simple from kernel level. > > cheers, > jamal > I vote for extending BPF, and not adding the price of a compare for each packet. Only users wanting mark filtering should pay the price. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/core/filter.c b/net/core/filter.c index d1d779c..6fcf577 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -85,6 +85,9 @@ int sk_filter(struct sock *sk, struct sk_buff *skb) if (err) return err; + if (sk->sk_mark && sk->sk_mark != skb->mark) + return -EPERM; + rcu_read_lock_bh(); filter = rcu_dereference(sk->sk_filter); if (filter) {