lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080622215420.GA4076@martell.zuzino.mipt.ru>
Date:	Mon, 23 Jun 2008 01:54:21 +0400
From:	Alexey Dobriyan <adobriyan@...il.com>
To:	Daniel Lezcano <dlezcano@...ibm.com>
Cc:	kaber@...sh.net, netdev@...r.kernel.org,
	netfilter-devel@...r.kernel.org, den@...nvz.org, xemul@...nvz.org,
	ebiederm@...ssion.com, benjamin.thery@...l.net
Subject: Re: [PATCH 00/25] Conntracking and NAT in netns

On Sun, Jun 22, 2008 at 11:41:56PM +0200, Daniel Lezcano wrote:
> Alexey Dobriyan wrote:
>> Hi, patchbomb below makes significant parts of connection tracking and
>> NAT code usable in netns and independent from other netns.
>> Status is that it is lightly tested but more or less works, I used it on
>> a box which provides NAT for another with all netdevices moved to netns,
>> routing and iptables rules set up and rules flushed in init_net.
>> So far so good.
>> Weak points:
>> a) races during netns destruction or conntrack modules unload
>>    (see more in patches)
>> b) grabbing netns from skb->dev or skb->dst->dev
>>    these places should be checked with extreme scrunity :-\
>> c) some stuff not converted (pptp, h323) -- it's like 10 minutes to make
>>    a patch and full day to setup and test it :^)
>> d) IPv6 conntracking wasn't tested.
>> e) ordering probably should be redone (or it shouldn't since netfilter
>>    is banned in netns as is, so nobody will care)
>
> You describe this patchset as no finished and there is a patch to not be 
> applied, shall I assume it is a RFC ?

Well, more or less. It's something like 90% similar to final thing
unless somebody will find some serious issue.

Patch to not be applied (yet) is for people wanting to try these patches
and not waste time fixing "iptables doesn't work" problem.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ