| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150112172257.GG17329@acer.localdomain> Date: Mon, 12 Jan 2015 17:22:57 +0000 From: Patrick McHardy <kaber@...sh.net> To: Patrick Schaaf <netdev@....de> Cc: Eric Dumazet <eric.dumazet@...il.com>, Richard Weinberger <richard@....at>, davem@...emloft.net, coreteam@...filter.org, netfilter-devel@...r.kernel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, bhutchings@...arflare.com, john.fastabend@...il.com, herbert@...dor.apana.org.au, vyasevic@...hat.com, jiri@...nulli.us, vfalico@...il.com, therbert@...gle.com, edumazet@...gle.com, yoshfuji@...ux-ipv6.org, jmorris@...ei.org, kuznet@....inr.ac.ru, kadlec@...ckhole.kfki.hu, pablo@...filter.org, kay@...y.org, stephen@...workplumber.org Subject: Re: [PATCH 2/3] x_tables: Use also dev->ifalias for interface matching On 12.01, Patrick Schaaf wrote: > On Monday 12 January 2015 08:51:54 Eric Dumazet wrote: > > On Mon, 2015-01-12 at 17:39 +0100, Patrick Schaaf wrote: > > > > > > Not to comment on the ifalias thing, which I think is unneccessary, > > > too, but matching on interface names instead of only ifindex, is > > > definitely needed, so that one can establish a full ruleset before > > > interfaces even exist. That's good practise at boottime, but also > > > needed for dynamic interface creation during runtime. > > > > Please do not send html messages : Your reply did not reach the lists. > > Sigh. Sorry... > > > Then, all you mention could have been solved by proper userspace > > support. > > > > Every time you add an interface or change device name, you could change > > firewalls rules if needed. Nothing shocking here. > > That is totally impractical, IMO. > > Interfaces come and go through many different actions. There's the admin > downing and upping stuff like bridges or bonds. There's stuff like libvirt / > KVM / qemu creating and destroying interfaces. In all these cases, in my > practise, I give the interfaces useful names to that I can prefix-match them > in iptables rules. > > Dynamically modifying the ruleset for each such creation and destruction, > would be a huge burden. The base ruleset would need suitable "hooks" where > these rules were inserted (ordering matters!). The addition would hardly be > atomic (with traditional iptables, unless done by generating a whole new > ruleset and restoring). The programs (e.g. libvirt) would need to be able to > call out to these specially crafted rule generator scripts. The admin would > need to add them as pre/post actions to their static (manual) interface > configuration. Loading and looking at the ruleset before bringing up the > interface would be impossible. devgroups seem like the best solution for this. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists