lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1399454661.19449.114587073.05E84176@webmail.messagingengine.com>
Date:	Wed, 07 May 2014 02:24:21 -0700
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	Lorenzo Colitti <lorenzo@...gle.com>,
	David Miller <davem@...emloft.net>
Cc:	David Newall <davidn@...idnewall.com>, netdev@...r.kernel.org,
	JP Abgrall <jpa@...gle.com>
Subject: Re: [RFC net-next 0/4] Support UID range routing.

Hi,

On Tue, May 6, 2014, at 20:59, Lorenzo Colitti wrote:
> This doesn't just affect the source address, it similarly affects any
> other parameters that are taken from route lookups and stored in the
> socket, such as MSS, initial cwnd / rwnd / RTO, etc. Some (like MSS)
> can be fixed up with netfilter, but not all. Also, every connection
> made through this scheme takes up conntrack state, is affected by
> conntrack timeouts, etc.

I question the abstraction of using UIDs for matching routing rules.
E.g. freebsd uses setfib[1] to alter the view of the routing table per
process. E.g. an interface like ip rule exec (action ACTION)+ PROGRAM
would be much nicer in combination with a prctl, maybe? I would much
rather enjoy an interface not based on UIDs. Would something like that
solve your initial problem?

The other possibility that came to my mind would be that it is possible
to share interfaces and ip addresses per netns but it seems more
difficult to implement.

Greetings,

  Hannes

[1]
http://www.freebsd.org/cgi/man.cgi?query=setfib&apropos=0&sektion=0&manpath=FreeBSD+10.0-RELEASE&arch=default&format=html

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ