lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <47D137AB.9040305@balabit.hu>
Date:	Fri, 07 Mar 2008 13:40:11 +0100
From:	Laszlo Attila Toth <panther@...abit.hu>
To:	David Miller <davem@...emloft.net>
CC:	netdev@...r.kernel.org
Subject: Re: [PATCHv8 1/2] Interface group: core and netlink part

David Miller írta:
> From: Laszlo Attila Toth <panther@...abit.hu>
> Date: Thu,  6 Mar 2008 15:03:58 +0100
> 
>> Interface groups let handle different interfaces together.
>> Modified net device structure and netlink interface.
>>
>> Signed-off-by: Laszlo Attila Toth <panther@...abit.hu>
> 
> I can't say whether this makes sense without seeing how
> it will actually be used.

The userspace has two parts, one is in iproute2:

  ip link set dev eth0 group 4

  ip link show dev eth0
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
group 0x04 qlen 1000
     link/ether 00:0c:29:97:52:99 brd ff:ff:ff:ff:ff:ff

This is still nothing special.

Where can it be used? The netfilter part is an ifgroup match:

  ifgroup -A INPUT -m ifgroup --ifgroup-in 4/0xf ...
  ifgroup -A OUTPUT -m ifgroup --ifgroup-out 4/0xf ...

Also multiple devices can be grouped and handled with one rule. Although 
  the interfaces can be named as the user wants, it is not always enough 
(I mean for instance:  iptables ... -i ppp+ ...).


Consider the following example (a bit complex, I think): a VPN server 
has many clients but not all services and networks has to be accessible 
for each clients, also an ACL is needed (Or the same situation on a 
router with several interfaces) The ifgroup value has 32 bits also 32 
different rule can be set up. The only necessary thing for the 
corresponding "if-up" scripts to calculate the value corresponding to 
the acl list and set this as an ifgroup value for the device. Next in 
the netfilter rules  access to unneeded services can be rejected with a 
single rule:

   iptables -A PREROUTING -m ifgroup --ifgroup-in 0/0x4 ... -j REJECT ...

Also the ifgroup match helps iptables rules to be simplier. Whithout it 
a new chain is necessary and on every interface change a new rule has to 
be added/removed. If two iptables commands are running, AFAIK a 
concurrency problem can be occured because two iptables command 
downloads the ruleset, change it and uploaded. But only one of them is 
taken into account.


Another possible use case is - I have no patch yet:
currently the ip command can access information of exactly one device or 
all of them, but only a few of them cannot be used. With ifgroup this 
problem can be solved, also instead of:

  ip link show dev eth0

use

   ip link show group 3

and so on.


> If that's all it is, userland can record such mappings
> in the filesystem or elsewhere such that multiple
> applications can work with and maintain the relationships.
> There is zero reason to add this bloat to the kernel in
> such a case.

Yeah, without the netfilter rules this would be unnecessary in the 
kernel but it depends on it.

--
Attila


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ