kaber at trash.net
Wed Aug 23 07:01:50 CEST 2006
Jozsef Kadlecsik wrote:
> My views on how to communicate is a little bit old-fashioned as I'm
> perfectly satisfied with sockopt. Yes, dusty. And old. Maybe even not cool
> but a hack. But reliable, which cannot absolutely be said about netlink.
> I shudder to think about the situation when a DDoS attack could prevent or
> just delay me to reconfigure a firewall. And please note even if we accept
> delaying it assumes that we are willing to face reimplementing a TCP-alike
> protocol over netlink to guarantee reliable message passing.
I don't think a DoS attack could prevent you from using netlink any
more than it could from setsockopt (netlink is even more efficient due
to less data copied around). Reliability is not hard to achieve on the
userspace->kernel path if you don't mind eating one RTT for each rule
update (which is not very large), just send the update and wait for
an ACK or an error, then handle it. Having more than one message in
flight introduces another problem besides congestion control and
reliable transmission, the resulting ruleset in the kernel might
depend on the order in which messages are received, if messages are
dropped in the middle and are simply retransmitted it will be wrong.
This should probably not be done.
> Yes. And I'd add one more priciple:
> + All parts must be designed to take into account rule- and
> (match/target) state-replication between firewalls in active-active
Agreed, that would be nice to have (and not very hard).
More information about the netfilter-devel