| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160512095726.GA1975@salvia>
Date: Thu, 12 May 2016 11:57:26 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Michal Kubecek <mkubecek@...e.cz>
Cc: netfilter-devel@...r.kernel.org, Patrick McHardy <kaber@...sh.net>,
Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
Jonathan Corbet <corbet@....net>, coreteam@...filter.org,
netdev@...r.kernel.org, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, bridge@...ts.linux-foundation.org
Subject: Re: [PATCH nf-next] netfilter: allow logging from non-init namespaces
Hi Michal,
On Wed, Apr 27, 2016 at 02:48:02PM +0200, Michal Kubecek wrote:
> Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace support for
> xt_LOG") disabled logging packets using the LOG target from non-init
> namespaces. The motivation was to prevent containers from flooding
> kernel log of the host. The plan was to keep it that way until syslog
> namespace implementation allows containers to log in a safe way.
>
> However, the work on syslog namespace seems to have hit a dead end
> somewhere in 2013 and there are users who want to use xt_LOG in all
> network namespaces. This patch allows to do so by setting
I understand this stuff is tricky. Did you contact already namespace
folks to see if they plan any move on this?
> /proc/sys/net/netfilter/nf_log_all_netns
My only concern with this is that I don't see how users know what log
message has triggered from what container.
Thanks!
Powered by blists - more mailing lists