lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 16 May 2016 08:43:16 +0200
From:	Michal Kubecek <>
To:	Pablo Neira Ayuso <>
Cc:, Patrick McHardy <>,
	Jozsef Kadlecsik <>,
	Jonathan Corbet <>,,,,,
Subject: Re: [PATCH nf-next] netfilter: allow logging from non-init namespaces

On Thu, May 12, 2016 at 11:57:26AM +0200, Pablo Neira Ayuso wrote:
> Hi Michal,
> On Wed, Apr 27, 2016 at 02:48:02PM +0200, Michal Kubecek wrote:
> > Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace support for
> > xt_LOG") disabled logging packets using the LOG target from non-init
> > namespaces. The motivation was to prevent containers from flooding
> > kernel log of the host. The plan was to keep it that way until syslog
> > namespace implementation allows containers to log in a safe way.
> > 
> > However, the work on syslog namespace seems to have hit a dead end
> > somewhere in 2013 and there are users who want to use xt_LOG in all
> > network namespaces. This patch allows to do so by setting
> I understand this stuff is tricky. Did you contact already namespace
> folks to see if they plan any move on this?

Not yet. I'll contact the people involved in the discussion about the
serires submitted in 2013 to check what their plans are (and if there
are any).

> >   /proc/sys/net/netfilter/nf_log_all_netns
> My only concern with this is that I don't see how users know what log
> message has triggered from what container.

IMHO this is a more generic issue with containers: there is no (known to
me) link between userspace "containers" and kernel namespaces that could
be used in kernel log messages. In this case, --log-prefix can be used
in netfilter logging rules to identify the container messages belong to.

                                                          Michal Kubecek

Powered by blists - more mailing lists