lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Dec 2012 08:23:50 -0500 From: Jamal Hadi Salim <jhs@...atatu.com> To: Jan Engelhardt <jengelh@...i.de> CC: Pablo Neira Ayuso <pablo@...filter.org>, Yury Stankevich <urykhy@...il.com>, shemonc@...il.com, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, netfilter-devel@...r.kernel.org Subject: Re: tc ipt action On 12-12-17 08:28 AM, Jan Engelhardt wrote: > > On Monday 2012-12-17 13:58, Jamal Hadi Salim wrote: > AFAICS, (one instance of) act_ipt today directly invokes (exactly one > instance of) a target. Design intent. You can have the same target instance used by specifying the same index on the command line. >With act_xt2 as drafted, it instead invokes a chain, which would > > 1. leave the construction of the target data and calling it > to the subsystems they conceptually belong to - the packet filter > 2. lets you do matches, jumps and all that. > I like #2. For #1 as long as it doesnt deviate from desire to have one or more instances of targets, we should be fine. > Good thing you ask. Chain names are unique within a netns, and this > act_xtables.c draft looks at the packet to get to know its netns, so > that seems fine. My motivation for that question: Is it possible to ignore the hook and tablename and just use the chain name? > However, your question also leads to looking at whether TC Actions > themselves are sufficiently netns-ified, and it seems this is _not_ > the case. Am I right in the observation that variables like > "tcf_ipt_ht" are in fact global rather tha per-netns? In general we dont need to worry about netns since actions are attached to the filters which are dependent on qdiscs which are dependent on netdevs which are per netns. I believe actions (not filters or qdiscs) have a way where this can be circumvented in one scenario (I can configure them bypassing the filter interface). Thanks for bringing this up - I will look at it. cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists