lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 May 2016 11:57:26 +0200 From: Pablo Neira Ayuso <pablo@...filter.org> To: Michal Kubecek <mkubecek@...e.cz> Cc: netfilter-devel@...r.kernel.org, Patrick McHardy <kaber@...sh.net>, Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>, Jonathan Corbet <corbet@....net>, coreteam@...filter.org, netdev@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, bridge@...ts.linux-foundation.org Subject: Re: [PATCH nf-next] netfilter: allow logging from non-init namespaces Hi Michal, On Wed, Apr 27, 2016 at 02:48:02PM +0200, Michal Kubecek wrote: > Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace support for > xt_LOG") disabled logging packets using the LOG target from non-init > namespaces. The motivation was to prevent containers from flooding > kernel log of the host. The plan was to keep it that way until syslog > namespace implementation allows containers to log in a safe way. > > However, the work on syslog namespace seems to have hit a dead end > somewhere in 2013 and there are users who want to use xt_LOG in all > network namespaces. This patch allows to do so by setting I understand this stuff is tricky. Did you contact already namespace folks to see if they plan any move on this? > /proc/sys/net/netfilter/nf_log_all_netns My only concern with this is that I don't see how users know what log message has triggered from what container. Thanks!
Powered by blists - more mailing lists