lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 05 Feb 2010 11:21:05 +0100 From: Patrick McHardy <kaber@...sh.net> To: Jon Masters <jonathan@...masters.org> CC: Alexey Dobriyan <adobriyan@...il.com>, davem@...emloft.net, eric.dumazet@...il.com, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org Subject: Re: [PATCH for 2.6.33] conntrack: restrict runtime hashsize modifications Jon Masters wrote: > On Fri, 2010-02-05 at 11:03 +0100, Patrick McHardy wrote: >> Jon Masters wrote: >>> On Thu, 2010-02-04 at 18:04 +0100, Patrick McHardy wrote: >>>>> How about alternatively moving nf_conntrack_hsize into the >>>>> per-namespace struct? It doesn't look more complicated or >>>>> intrusive and would allow to still change the init_net >>>>> hashsize. Also seems less hackish :) >>>> How about this (so far untested) patch? The htable_size is moved into >>>> the per-namespace struct and initialized from the current (global) >>>> value of nf_conntrack_htable_size. Changes through sysfs are still >>>> permitted, but only affect the init namespace and newly created ones. >>> I moved the random seed into the per-ns context aswell. I think that's >>> better than having a global one, and you don't need to rehash all. >> That's another possibility. But we don't loose anything by not >> reseeding during resize. It also shouldn't be possible to determine >> the seed from userspace in a namespace, so there's no real need >> to use seperate values. > > Right, the risk there is hypothetical at best. But there's little lost > in putting it in per-ns and then you can rehash and truly make them > independent, which I think is really what netns is all about. I don't disagree, but currently I'm trying to go for a minimal version thats suitable for 2.6.33. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists