Bug #8698
openfirewall: non-sequential tx causes issues
Description
When non-sequential transactions are used (e.g. in http/2) the "apply to packet" logic fails in certain conditions. In the detection engine there is a lot of logic that hangs off the idea of a transaction being the last transaction. If this is the case accept:hook or accept:tx will also be applied to the packet. However in these non-sequential tx spaces, we might have a later tx that is not "updated", so it is skipped for inspection. This also means that the "last tx" logic is not triggered.
Can think of several possible solutions:- when determining if a tx "is_last" we can scan the list for inactive txs. This would be a linear scan though, so not ideal
- instead of trying to determine per tx is actions should be applied to the packet, delay this determination until the last tx has been processed. More intrusive change but avoids the linear scan
- still process (somewhat) each inactive (so non-updated) tx. It would then do just enough for that tx to apply accept:hook/accept:tx to the packet.
VJ Updated by Victor Julien 2 days ago
- Description updated (diff)
SB Updated by Shivani Bhardwaj 2 days ago
Not sure if ideal here but maybe the problem of
when determining if a tx "is_last" we can scan the list for inactive txs. This would be a linear scan though, so not ideal
could possibly be solved by active reshuffling of large tx lists and always keeping inactive txs at the end of the list and accessing the list from rear end until an active tx is found.
VJ Updated by Victor Julien about 19 hours ago
- Status changed from Assigned to In Progress
VJ Updated by Victor Julien about 9 hours ago
- Status changed from In Progress to In Review