| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 07 May 2014 02:24:21 -0700 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Lorenzo Colitti <lorenzo@...gle.com>, David Miller <davem@...emloft.net> Cc: David Newall <davidn@...idnewall.com>, netdev@...r.kernel.org, JP Abgrall <jpa@...gle.com> Subject: Re: [RFC net-next 0/4] Support UID range routing. Hi, On Tue, May 6, 2014, at 20:59, Lorenzo Colitti wrote: > This doesn't just affect the source address, it similarly affects any > other parameters that are taken from route lookups and stored in the > socket, such as MSS, initial cwnd / rwnd / RTO, etc. Some (like MSS) > can be fixed up with netfilter, but not all. Also, every connection > made through this scheme takes up conntrack state, is affected by > conntrack timeouts, etc. I question the abstraction of using UIDs for matching routing rules. E.g. freebsd uses setfib[1] to alter the view of the routing table per process. E.g. an interface like ip rule exec (action ACTION)+ PROGRAM would be much nicer in combination with a prctl, maybe? I would much rather enjoy an interface not based on UIDs. Would something like that solve your initial problem? The other possibility that came to my mind would be that it is possible to share interfaces and ip addresses per netns but it seems more difficult to implement. Greetings, Hannes [1] http://www.freebsd.org/cgi/man.cgi?query=setfib&apropos=0&sektion=0&manpath=FreeBSD+10.0-RELEASE&arch=default&format=html -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists