|
@dvyukov | |||||
|
Brace yourselves, more netfilter bugs are coming!
github.com/google/syzkall…
Bets on number of bugs in the first week
|
||||||
|
||||||
|
Dmitry Vyukov
@dvyukov
|
15. sij |
|
I thought netfilter/iptables is an attempt to build #bpf.
No, turns out it's an attempt to build #bpf twice
Get a taste of API surface:
github.com/google/syzkall…
github.com/google/syzkall…
github.com/google/syzkall…
github.com/google/syzkall…
github.com/google/syzkall…
github.com/google/syzkall…
|
||
|
|
||
|
Dmitry Vyukov
@dvyukov
|
15. sij |
|
Now, turns out there is also "netfilter tables API":
github.com/google/syzkall…
which reimplements all of the same with another set of expressions, objects, containers, registers, control flow, etc
_and_ also includes all of the legacy "xtables" recursively:
github.com/google/syzkall…
|
||
|
|
||
|
Dmitry Vyukov
@dvyukov
|
15. sij |
|
nf_table_api.c (just a subpart) is 8K lines of complex stateful C code:
elixir.bootlin.com/linux/v5.5-rc6…
Wonder what amount of resources was put into testing all of this... Like really testing, not just on few expected scenarios.
All of this is open to any unpriv user and containers.
|
||
|
|
||