I don't understand your point. The checks I added enforce some basic aspects
of the specs; a packet that does not respect these aspects is just a malformed
packet, regardless of whether NPF is acting as a firewall or something else.

If NPF wasn't performing these checks, the packet would still be dropped by
the kernel afterwards.

We've already had too many problems because NPF basically doesn't sanitize
anything.
While I understand why you want a logical separation, I think that in all
fairness, the result is just shitty.

Typically, before my commit npc_hlen could point past the end of the mbuf. I
didn't even understand whether this was a real issue or not, because it gets
passed in many different components, and I wasn't able to make sure the
overflow was harmless (ie, make sure there are proper length checks in the
JIT code).

There is little interest in maintaining a logical separation if we are unable
to understand what happens in the complex machinery. As well, there is little
interest in passing a packet in this complex machinery if we know we'll end
up kicking it anyway because it is malformed to begin with.

So now let's perform basic sanitization early, outside of any ruleset, by
simply checking the return values of function calls that are *already there*.

Maxime

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Just a note: my reply was also with your other email thread "NPF: TCP
options" in mind. Perhaps this caused some confusion.
Sure, but if NPF is used for deep packet inspection, analysis, accounting
or monitoring -- this is a desirable behaviour. If my application is
observing traffic at some transient point in the network, then I do not
want it to drop the packets. Even if the packets are malformed, because
the main purpose of such application is to be packet *observer*. NPF can
operate as a *filter*, but it may as well operate as an *observer*. I am
just saying -- please do not disregard the latter use case and give user
an option.
Yes, but was kind of a rational choice. I think the core packet handlers
of NPF should still perform the minimum sanity checks, required merely for
NPF itself. Keep the core code simple and usable for packet observation.

There can be many defence mechanisms. Protecting the end hosts against
malformed or "unusual" packets is one of them. I am all for adding more
aggressive checks. But again -- please give user an option to control
this. I might *want* to send malformed packets, for whatever reason.
I do not see what logical separation has to do with npf_hlen bug or
"complex machinery". If you mean basic sanity checks such that NPF
could parse the information it needs -- sure; if there are cases where
ranges are not checked or overflows can happen -- those are bugs and
should be fixed.

Since NPF primarily operates from layer 3 and does not yet support L2
filtering, I think your extra checks for IP fragments are reasonable
(although I would rename the NPF_FMTERR to NPF_L3ERR as it reflects the
intention better). However, your suggested checks on the TCP options
should be optional. This is the point where we should have logical
separation i.e. L4 checks abstracted in a separate routine, potentially
with a way to configure how aggressive they should be (besides an option
to disable it completely).

What kernel? :) I think you miss the use cases such as NPF + DPDK.
It is actually a bigger user of NPF than NetBSD (at least as far as
I am aware).

Layer 2 filtering is in the plans.
It is the main and ultimate purpose of the "ruleset machinery" -- for the
packets to go through it. It also defines the default behaviour (to pass
or block the "rest" of the traffic). In the perfect world, everything
ought to be passed through the ruleset inspection -- and only through it,
since that would be a simple and "clean" design. In reality, things are
more complex and protocols are not always nice and simple.

BPF byte-code engine is an old and robust piece of code. I think the bugs
are much more likely to be somewhere else.. :)
Huh? I am not sure why do you think I suggest that. NPF nbuf API was
added to abstract mbufs, but another purpose also to provide stronger
safety. The return values should certainly be checked.
Not exactly, no. NPF is not a host/kernel. It is a man in the middle,
concerning packets sent by different hosts (which might have different
TCP/IP implementations and applications). It operates based on its own
set of rules.

Let me put it this way:

- NPF should perform minimum sanity checks to be able to read the basic
L3 payload from the packet for its own operation (-- I don't think we have
a disagreement here). However, generally, the *default rule* decides
whether unrecognizable (or malformed) packets are passed or not; this is
more or less how other packet filters work too.

- NPF should be able to operate as packet observer at L3 (and, in the
future, at L2). This should be a supported mode of operation, but I am
not trying to suggest that this should be the default.

- NPF ought to support additional protocol-level checks (at L3, L4 and
may as well go beyond). However, how strict and aggressive such checks
should be is something what should be tunable. For example, extensive
checks can protect hosts with weak or vulnerable TCP/IP stacks; but it
might also break some applications or legitimate traffic, because in
reality, not everybody on the Internet plays by the rules and standards.

The kernel performs sanity checks on IP packets even before invoking NPF.
This "accounting malformed packets" thing does not hold in the first place,
because at several points the kernel can drop the packets before, and after,
invoking NPF.

If the basic sanity checks I added in NPF (which consist, as I already said,
in checking the return values of function calls that are _already there_)
were to be an option, we would have to go through the ruleset machinery, which
is exactly where bugs can happen. That wouldn't be "fast kick", it would be
"slow, buggy kick". (heh!)

Not checking the return values of the nbuf functions, just for the sake of
some hypothetical "observer" thing that doesn't hold in the first place,
doesn't make any sense, apart from wanting more bugs by default.

A real "observer" would have to be some pseudo device, to which a copy of the
packet is given at the very entry point (L2) - in order to ensure that neither
the kernel nor any driver has sanitized anything. Perhaps we already have this,
I didn't really check. In all cases, NPF is never going to achieve that, as
long as it doesn't get called before anything else - which will likely never
happen, because it would be wrong.
What I'm saying is that there are overflows - npc_hlen that is beyond the
nbuf -, but I'm not sure whether they are real bugs.
You are mixing the "NPF: fast kick" and "NPF: TCP options" threads, but my
point is different in each.

For the latter, my point is that the processing done by NPF and by the kernel
should be the same, because if there is a divergence then there is a way to
bypass certain normalization procedures.

So NPF's behavior should be aligned to that of the kernel; that is to say, NPF
should ignore TCP options with uncommon lengths - which does not mean dropping
the packet. (We can discuss about changing the kernel's behavior to be that
of NPF, but as I said in my answer to Joerg, the kernel's behavior is the one
that is the most "common".)

Maxime

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

NPF does not run only in the NetBSD kernel.

Thor

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de