Received: with ECARTIS (v1.0.0; list netdev); Fri, 31 Dec 2004 02:38:34 -0800 (PST)
Received: from asia.telenet-ops.be (asia.telenet-ops.be [195.130.132.59])
	by oss.sgi.com (8.13.0/8.13.0) with ESMTP id iBVAc6Vd010890
	for <netdev@oss.sgi.com>; Fri, 31 Dec 2004 02:38:27 -0800
Received: from localhost (localhost.localdomain [127.0.0.1])
	by asia.telenet-ops.be (Postfix) with SMTP
	id 2CDF7224073; Fri, 31 Dec 2004 11:46:41 +0100 (MET)
Received: from 192.168.0.138 (D5763CA9.kabel.telenet.be [213.118.60.169])
	by asia.telenet-ops.be (Postfix) with ESMTP
	id BF49C224070; Fri, 31 Dec 2004 11:46:40 +0100 (MET)
Subject: Re: [PATCH][BRIDGE-NF] Fix wrong use of skb->protocol
From: Bart De Schuymer <bdschuym@pandora.be>
To: Lennert Buytenhek <buytenh@wantstofly.org>
Cc: "David S. Miller" <davem@davemloft.net>, netdev@oss.sgi.com,
        snort2004@mail.ru
In-Reply-To: <20041231083352.GA25031@xi.wantstofly.org>
References: <1104432914.15601.19.camel@localhost.localdomain>
	 <20041230222415.GB19587@xi.wantstofly.org>
	 <1104448248.15601.55.camel@localhost.localdomain>
	 <20041231083352.GA25031@xi.wantstofly.org>
Content-Type: text/plain
Date: Fri, 31 Dec 2004 11:51:00 +0100
Message-Id: <1104490260.3373.15.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.0.2 (2.0.2-3) 
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.80/645/Mon Dec 27 14:56:20 2004
	clamav-milter version 0.80j
	on 127.0.0.1
X-Virus-Status: Clean
X-archive-position: 13282
X-ecartis-version: Ecartis v1.0.0
Sender: netdev-bounce@oss.sgi.com
Errors-to: netdev-bounce@oss.sgi.com
X-original-sender: bdschuym@pandora.be
Precedence: bulk
X-list: netdev

Op vr, 31-12-2004 te 09:33 +0100, schreef Lennert Buytenhek:

> Just one more thing: AFAIK it is possible to inject a raw IPv4 packet
> with an invalid IPv4 header.  So maybe the better 'fix' would be to have
> different hooks for PF_INET and PF_INET6, and distinguish v4/v6 packets
> that way instead of peeking into the header.  (The hook you're talking
> about is a PF_INET* and not a PF_BRIDGE hook, right?)

That was my original plan, but it seems such a waste.
Wouldn't injecting such an invalid IPv4 header also screw up iptables?
Is there any reason why someone should be allowed to do this?
I checked ip_tables.c::ipt_do_table() before using the IP version, and
it looks at the IP header too without any precautions AFAICT.

> Then again, that would add yet another function onto the already rather
> deep call chains that we have in there.

The netfilter scheme itself implies call chains.

> Too bad I don't see any cleaner way of integrating the whole bridging
> thing into the stack.  I wonder if any of the *BSDs found a cleaner way
> of doing this.

How about adding something like NF_STOP, which acts like NF_STOLEN but
still executes okfn in nf_hook_slow()?

cheers,
Bart