On Sat, Jan 30, 2021 at 11:26 AM Lukas Wunner <lu...@wunner.de> wrote: > > On Sun, Jan 24, 2021 at 11:18:00AM -0500, Willem de Bruijn wrote: > > On Sun, Jan 24, 2021 at 6:14 AM Lukas Wunner <lu...@wunner.de> wrote: > > > On Fri, Jan 22, 2021 at 11:13:19AM -0500, Willem de Bruijn wrote: > > > > On Fri, Jan 22, 2021 at 4:44 AM Lukas Wunner <lu...@wunner.de> wrote: > > > > > Add egress hook for AF_PACKET sockets that have the > > > > > PACKET_QDISC_BYPASS > > > > > socket option set to on, which allows packets to escape without being > > > > > filtered in the egress path. > > > > > > > > > > This patch only updates the AF_PACKET path, it does not update > > > > > dev_direct_xmit() so the XDP infrastructure has a chance to bypass > > > > > Netfilter. > > > > > > > > Isn't the point of PACKET_QDISC_BYPASS to skip steps like this? > > > > > > I suppose PACKET_QDISC_BYPASS "was introduced to bypass qdisc, > > > not to bypass everything." > > > > > > (The quote is taken from this message by Eric Dumazet: > > > https://lore.kernel.org/netfilter-devel/a9006cf7-f4ba-81b1-fca1-fd2e97939...@gmail.com/ > > > ) > > > > I see. I don't understand the value of a short-cut fast path if we > > start chipping away at its characteristic feature. > > The point is to filter traffic coming in through af_packet. > Exempting PACKET_QDISC_BYPASS from filtering would open up a > trivial security hole.
Sure. But that argument is no different for TC_EGRESS. That's why packet sockets require CAP_NET_RAW. It is perhaps unfortunately that it is ns_capable instead of capable. But there is nothing netfilter specific about this.
