| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <m1zk9rwxf2.fsf@fess.ebiederm.org> Date: Tue, 01 May 2012 11:47:45 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: Gao feng <gaofeng@...fujitsu.com> Cc: pablo@...filter.org, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org, serge.hallyn@...onical.com, dlezcano@...ibm.com Subject: Re: [PATCH v2 00/17] netfilter: add namespace support for netfilter protos Gao feng <gaofeng@...fujitsu.com> writes: > Currently the sysctl of netfilter proto is not isolated, so when > changing proto's sysctl in container will cause the host's sysctl > be changed too. it's not expected. > > This patch set adds the namespace support for netfilter protos. > > impletement four pernet_operations to register sysctl and initial > pernet data for proto. > > -ipv4_net_ops is used to register tcp4(compat), > udp4(compat),icmp(compat),ipv4(compat). > -ipv6_net_ops is used to register tcp6,udp6 and icmpv6. > -sctp_net_ops is used to register sctp4(compat) and sctp6. > -udplite_net_ops is used to register udplite4 and udplite6 > > extern l[3,4]proto (sysctl) register functions to make them support > namespace. > > finailly add namespace support for cttimeout. I am a bit out of it this week so I could not look at these patches in the detail that I would like. However skimming through it looks like you addressed your review comments, and the changes look like the kind of changes I would expect from something like this. I assume you have tested to make certain your code actually works. So on that basis for the patchset: Acked-by: "Eric W. Biederman" <ebiederm@...ssion.com> Anyone else want to chime in or does everyone else figure that this code is ready to be merged and no additional comments are necessary? Eric > Gao feng (17): > netfilter: add struct nf_proto_net for register l4proto sysctl > netfilter: add namespace support for l4proto > netfilter: add namespace support for l3proto > netfilter: add namespace support for l4proto_generic > netfilter: add namespace support for l4proto_tcp > netfilter: add namespace support for l4proto_udp > netfilter: add namespace support for l4proto_icmp > netfilter: add namespace support for l4proto_icmpv6 > netfilter: add namespace support for l3proto_ipv4 > netfilter: add namespace support for l3proto_ipv6 > netfilter: add namespace support for l4proto_sctp > netfilter: add namespace support for l4proto_udplite > netfilter: adjust l4proto_dccp to the nf_conntrack_l4proto_register > netfilter: adjust l4proto_gre4 to the nf_conntrack_l4proto_register > netfilter: cleanup sysctl for l4proto and l3proto > netfilter: add namespace support for cttimeout > netfilter: cttimeout use pernet data of l4proto > > include/net/netfilter/nf_conntrack_l3proto.h | 11 +- > include/net/netfilter/nf_conntrack_l4proto.h | 32 ++- > include/net/netns/conntrack.h | 55 ++++ > net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 127 ++++++--- > net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 55 +++- > net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 88 ++++-- > net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 38 ++- > net/netfilter/nf_conntrack_core.c | 7 +- > net/netfilter/nf_conntrack_proto.c | 390 ++++++++++++++---------- > net/netfilter/nf_conntrack_proto_dccp.c | 141 +++++---- > net/netfilter/nf_conntrack_proto_generic.c | 69 ++++- > net/netfilter/nf_conntrack_proto_gre.c | 66 +++-- > net/netfilter/nf_conntrack_proto_sctp.c | 157 +++++++--- > net/netfilter/nf_conntrack_proto_tcp.c | 136 ++++++--- > net/netfilter/nf_conntrack_proto_udp.c | 90 ++++-- > net/netfilter/nf_conntrack_proto_udplite.c | 125 ++++++-- > net/netfilter/nfnetlink_cttimeout.c | 13 +- > 17 files changed, 1068 insertions(+), 532 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists