| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 01 Apr 2010 09:20:40 +0300 From: Timo Teräs <timo.teras@....fi> To: Herbert Xu <herbert@...dor.apana.org.au> CC: jamal <hadi@...erus.ca>, "David S. Miller" <davem@...emloft.net>, Patrick McHardy <kaber@...sh.net>, netdev@...r.kernel.org Subject: Re: [RFC] SPD basic actions per netdev Herbert Xu wrote: > On Thu, Apr 01, 2010 at 07:52:34AM +0300, Timo Teräs wrote: >> IMHO, it's slightly confusing that in/fwd is split, but out is not. >> But that's the way it works. If you now override the how interface >> is checked for 'out' policy, it'll break current behaviour. > > Unless I've misunderstood what his patch is trying to do, it would > seem that out policies would be completely unchanged. > > Forward policies are not used on output. Oh, that right. But my statement still holds. If iif/oif is swapped, it's changing current semantics and can end up breaking setups. Both are still valid for 'in' and 'fwd' policies too, right? What if I'm using 'in' policy to make sure that all stuff arriving via 'eth0' is encrypted, but 'eth1' is trusted and does not need xfrm. This would break. I do like the idea very much. In fact I remember asking this exact feature long time ago. But I think it should be done by explicitly allowing user to specify both iif and oif; even if it's more intrusive. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists