lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 23 Jan 2024 10:59:04 +0100
From: Lorenzo Bianconi <lorenzo@...nel.org>
To: Chuck Lever <chuck.lever@...cle.com>
Cc: NeilBrown <neilb@...e.de>, Jeff Layton <jlayton@...nel.org>,
	linux-nfs@...r.kernel.org, lorenzo.bianconi@...hat.com,
	kuba@...nel.org, horms@...nel.org, netdev@...r.kernel.org
Subject: Re: [PATCH v6 3/3] NFSD: add write_ports to netlink command

> On Tue, Jan 23, 2024 at 08:35:07AM +1100, NeilBrown wrote:
> > On Tue, 23 Jan 2024, Jeff Layton wrote:
> > > On Sat, 2024-01-20 at 18:33 +0100, Lorenzo Bianconi wrote:
> > > > Introduce write_ports netlink command. For listener-set, userspace is
> > > > expected to provide a NFS listeners list it wants to enable (all the
> > > > other ports will be closed).
> > > > 
> > > 
> > > Ditto here. This is a change to a declarative interface, which I think
> > > is a better way to handle this, but we should be aware of the change.
> > 
> > I agree it is better, and thanks for highlighting the change.
> > 
> > > > +	/* 2- remove stale listeners */
> > > 
> > > 
> > > The old portlist interface was weird, in that it was only additive. You
> > > couldn't use it to close a listening socket (AFAICT). We may be able to
> > > support that now with this interface, but we'll need to test that case
> > > carefully.
> > 
> > Do we ever want/need to remove listening sockets?
> 
> I think that might be an interesting use case. Disabling RDMA, for
> example, should kill the RDMA listening endpoints but leave
> listening sockets in place.
> 
> But for now, our socket listeners are "any". Wondering how net
> namespaces play into this.
> 
> 
> > Normal practice when making any changes is to stop and restart where
> > "stop" removes all sockets, unexports all filesystems, disables all
> > versions.
> > I don't exactly object to supporting fine-grained changes, but I suspect
> > anything that is not used by normal service start will hardly ever be
> > used in practice, so will not be tested.
> 
> Well, there is that. I guess until we have test coverage for NFSD
> administrative interfaces, we should leave well enough alone.

So to summarize it:
- we will allow to remove enabled versions (as it is in patch v6 2/3)
- we will allow to add new listening sockets but we will not allow to remove
  them (the user/admin will need to stop/start the server).

Agree? If so I will work on it and post v7.

Regards,
Lorenzo

> 
> 
> > So if it is easiest to support reverting previous configuration (as it
> > probably is for version setting), then do so.  But if there is any
> > complexity (as maybe there is with listening sockets), then don't
> > add complexity that won't be used.
> > 
> > Thanks,
> > NeilBrown
> 
> -- 
> Chuck Lever

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ