Re: iptables very slow after commit 784544739a25c30637397ace5489eeb6e15d7d49



On Fri, 10 Apr 2009, Paul E. McKenney wrote:

1. Assuming that the synchronize_net() is intended to guarantee
that the new rules will be in effect before returning to
user space:

Btw, I think that's a bad assumption.

The thing is, nobody can really care if the new rules are in effect or
not, because the thing you race with is not the "return to user space"
part, but the incoming packets.

And those incoming packets might have been incoming before the rules were
set up too.

So I seriously doubt you need to synchronize with any returning to user
space. What you want to synchronize with is then later actions that do
things like turning on the interface that the rules are attached to etc!

So I would suggest:

- remove the synchronize_net() entirely. Replace it with just freeing the
old rules using RCU.

- new packets will always end up seeing the new rules. That includes the
case of somebody doing "ifconfig eth0 up" that enables a new source of
packets, so there are no real security issues.

- if you enabled your network interfaces before you updated your packet
filtering rules, you already had a window where packets would come in
with the old rules, so doing a "synchronize_net()" in no way protects
against any race conditions anyway.

Am I missing something?

Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Relevant Pages

  • Re: iptables very slow after commit 784544739a25c30637397ace5489eeb6e15d7d49
    ... because the thing you race with is not the "return to user space" ... And those incoming packets might have been incoming before the rules were ... of various counters -- there are a number of Linux networking users who ... 32-bit UP machines and 64-bit machines are not ...
    (Linux-Kernel)
  • hardware time stamping with optional structs in data area
    ... This is the third iteration of a patch series which adds a user space ... API for hardware time stamping of network packets and the ...
    (Linux-Kernel)
  • Re: iptables very slow after commit 784544739a25c30637397ace5489eeb6e15d7d49
    ... because the thing you race with is not the "return to user space" ... And those incoming packets might have been incoming before the rules were ... of various counters -- there are a number of Linux networking users who ... 32-bit UP machines and 64-bit machines are not ...
    (Linux-Kernel)
  • Re: section objects and scatter/gather DMA
    ... Windows Filesystem and Driver Consulting ... I have a number of incoming channels. ... I can do three circular buffers, one each for the A, B and C packets. ... Not shared with user space) so that an application software can request ...
    (microsoft.public.development.device.drivers)
  • Re: UDP connection attempts
    ... first of all I block spoofed incoming packets on my external interface, ... cos my server runs only as a master server, ... the only firewall present in my network is on the server ... only routes packets. ...
    (FreeBSD-Security)