]> git.baikalelectronics.ru Git - kernel.git/commit
flow_dissector: allow access only to a subset of __sk_buff fields
authorStanislav Fomichev <sdf@google.com>
Mon, 1 Apr 2019 20:57:33 +0000 (13:57 -0700)
committerDaniel Borkmann <daniel@iogearbox.net>
Wed, 3 Apr 2019 14:49:48 +0000 (16:49 +0200)
commitfb23b6af3c833d03b0bfbc26a8af6602c64c4830
tree885eee23a75ca15ab8336bca87f53edc65fc0836
parent2520c174f3065fb9d3cc1c6f42eb1644ad7cb5e6
flow_dissector: allow access only to a subset of __sk_buff fields

Use whitelist instead of a blacklist and allow only a small set of
fields that might be relevant in the context of flow dissector:
  * data
  * data_end
  * flow_keys

This is required for the eth_get_headlen case where we have only a
chunk of data to dissect (i.e. trying to read the other skb fields
doesn't make sense).

Note, that it is a breaking API change! However, we've provided
flow_keys->n_proto as a substitute for skb->protocol; and there is
no need to manually handle skb->vlan_present. So even if we
break somebody, the migration is trivial. Unfortunately, we can't
support eth_get_headlen use-case without those breaking changes.

Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
net/core/filter.c