[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1421081514.4099.14.camel@edumazet-glaptop2.roam.corp.google.com>
Date: Mon, 12 Jan 2015 08:51:54 -0800
From: Eric Dumazet <eric.dumazet@...il.com>
To: Patrick Schaaf <netdev@....de>
Cc: Richard Weinberger <richard@....at>, davem@...emloft.net,
coreteam@...filter.org, netfilter-devel@...r.kernel.org,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
bhutchings@...arflare.com, john.fastabend@...il.com,
herbert@...dor.apana.org.au, vyasevic@...hat.com, jiri@...nulli.us,
vfalico@...il.com, therbert@...gle.com, edumazet@...gle.com,
yoshfuji@...ux-ipv6.org, jmorris@...ei.org, kuznet@....inr.ac.ru,
kadlec@...ckhole.kfki.hu, kaber@...sh.net, pablo@...filter.org,
kay@...y.org, stephen@...workplumber.org
Subject: Re: [PATCH 2/3] x_tables: Use also dev->ifalias for interface
matching
On Mon, 2015-01-12 at 17:39 +0100, Patrick Schaaf wrote:
> > iptables should have used ifindex, its sad we allowed the substring
>
> > match in first place.
>
>
>
> Not to comment on the ifalias thing, which I think is unneccessary,
> too, but matching on interface names instead of only ifindex, is
> definitely needed, so that one can establish a full ruleset before
> interfaces even exist. That's good practise at boottime, but also
> needed for dynamic interface creation during runtime.
>
>
>
> A pure ifindex-during-packet-inspection approach might still work, but
> the ruleset must IMO keep the interface names. Maybe register them in
> a hash, keyed by name, with values an ifindex or ifindex set (for
> wildcard names), plus a reverse mapping from active ifindices to all
> places in these hash values where an ifindex has been remembered. On
> interface creation / destruction that structure could then be updated,
> and active packet filtering rules would refer to (and keep a refcount
> on) specific hash elements.
>
Please do not send html messages : Your reply did not reach the lists.
Then, all you mention could have been solved by proper userspace
support.
Every time you add an interface or change device name, you could change
firewalls rules if needed. Nothing shocking here.
The ruleset can indeed mention interface names, but the kernel part
really should not care about names, which are a 'human' convenient way
to represent things.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists