lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Nov 2009 16:33:36 +0100 From: Patrick McHardy <kaber@...sh.net> To: Arnd Bergmann <arnd@...db.de> CC: David Miller <davem@...emloft.net>, "Eric W. Biederman" <ebiederm@...ssion.com>, virtualization@...ts.linux-foundation.org, Herbert Xu <herbert@...dor.apana.org.au>, Eric Dumazet <eric.dumazet@...il.com>, Anna Fischer <anna.fischer@...com>, netdev@...r.kernel.org, bridge@...ts.linux-foundation.org, linux-kernel@...r.kernel.org, Mark Smith <lk-netdev@...netdev.nosense.org>, Gerhard Stenzel <gerhard.stenzel@...ibm.com>, Jens Osterkamp <jens@...ux.vnet.ibm.com>, Patrick Mullaney <pmullaney@...ell.com>, Stephen Hemminger <shemminger@...tta.com> Subject: Re: [PATCH 1/4] veth: move loopback logic to common location Arnd Bergmann wrote: > On Tuesday 24 November 2009, Patrick McHardy wrote: >> Eric W. Biederman wrote: >>> I don't quite follow what you intend with dev_queue_xmit when the macvlan >>> is in one namespace and the real physical device is in another. Are >>> you mentioning that the packet classifier runs in the namespace where >>> the primary device lives with packets from a different namespace? >> Exactly. And I think we should make sure that the namespace of >> the macvlan device can't (deliberately or accidentally) cause >> misclassification. > > This is independent of my series and a preexisting problem, right? Correct. > Which fields do you think need to be reset to maintain namespace > isolation for the outbound path in macvlan? In addition to those already handled, I'd say - priority: affects qdisc classification, may refer to classes of the old namespace - ipvs_property: might cause packets to incorrectly skip netfilter hooks - nf_trace: might trigger packet tracing - nf_bridge: contains references to network devices in the old NS, also indicates packet was bridged - iif: index is only valid in the originating namespace - tc_index: classification result, should only be set in the namespace of the classifier - tc_verd: RTTL etc. should begin at zero again - probably secmark. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists