| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Jun 2008 11:57:56 +0200 From: Patrick McHardy <kaber@...sh.net> To: Alexey Dobriyan <adobriyan@...il.com> CC: netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, den@...nvz.org, xemul@...nvz.org, ebiederm@...ssion.com, benjamin.thery@...l.net, dlezcano@...ibm.com Subject: Re: [PATCH 00/25] Conntracking and NAT in netns Alexey Dobriyan wrote: > Hi, patchbomb below makes significant parts of connection tracking and > NAT code usable in netns and independent from other netns. > > Status is that it is lightly tested but more or less works, I used it on > a box which provides NAT for another with all netdevices moved to netns, > routing and iptables rules set up and rules flushed in init_net. OK, I assume "Do not apply" applies to all patches then. > So far so good. > > Weak points: > a) races during netns destruction or conntrack modules unload > (see more in patches) > b) grabbing netns from skb->dev or skb->dst->dev > these places should be checked with extreme scrunity :-\ Will do. > c) some stuff not converted (pptp, h323) -- it's like 10 minutes to make > a patch and full day to setup and test it :^) > d) IPv6 conntracking wasn't tested. > > e) ordering probably should be redone (or it shouldn't since netfilter > is banned in netns as is, so nobody will care) I think its most important that its bisectable for the non-ns case. So thats OK. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists