I thought netfilter/iptables is an attempt to build #bpf.
No, turns out it's an attempt to build #bpf twice
Get a taste of API surface:
https://github.com/google/syzkaller/blob/master/sys/linux/netfilter.txt …
https://github.com/google/syzkaller/blob/master/sys/linux/netfilter_targets.txt …
https://github.com/google/syzkaller/blob/master/sys/linux/netfilter_arp.txt …
https://github.com/google/syzkaller/blob/master/sys/linux/netfilter_bridge.txt …
https://github.com/google/syzkaller/blob/master/sys/linux/netfilter_ipv4.txt …https://github.com/google/syzkaller/blob/master/sys/linux/netfilter_ipv6.txt …
-
-
Show this thread
-
Now, turns out there is also "netfilter tables API": https://github.com/google/syzkaller/blob/master/sys/linux/socket_netlink_netfilter_nftables.txt … which reimplements all of the same with another set of expressions, objects, containers, registers, control flow, etc _and_ also includes all of the legacy "xtables" recursively:https://github.com/google/syzkaller/blob/master/sys/linux/socket_netlink_netfilter_nftables.txt#L400-L412 …
Show this thread -
nf_table_api.c (just a subpart) is 8K lines of complex stateful C code: https://elixir.bootlin.com/linux/v5.5-rc6/source/net/netfilter/nf_tables_api.c … Wonder what amount of resources was put into testing all of this... Like really testing, not just on few expected scenarios. All of this is open to any unpriv user and containers.
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.