lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87twu8lcre.fsf@x220.int.ebiederm.org>
Date:	Mon, 15 Jun 2015 19:26:13 -0500
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	David Miller <davem@...emloft.net>
Cc:	netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
	stephen@...workplumber.org, jjciarla@...z.uncu.edu.ar,
	wensong@...ux-vs.org, horms@...ge.net.au, ja@....bg,
	pablo@...filter.org, kaber@...sh.net, kadlec@...ckhole.kfki.hu,
	jhs@...atatu.com, steffen.klassert@...unet.com,
	herbert@...dor.apana.org.au
Subject: Re: [PATCH net-next 00/15] Simplify netfilter and network namespaces

David Miller <davem@...emloft.net> writes:

> From: ebiederm@...ssion.com (Eric W. Biederman)
> Date: Sun, 14 Jun 2015 22:07:30 -0500
>
>> While looking into what it would take to route packets out to network
>> devices in other network namespaces I started looking at the netfilter
>> hooks, and there is a lot of nasty code to figure out which network
>> namespace to filter the packets in.
>
> I am assume that you and Pablo are going to look at eachother's
> work and decide how to proceed and therefore I'm getting another
> series to actually apply at some point in the future.

I am busily looking, and being slightly challenged by the fact that the
netfilter code is a moving target in net-next.  That is not really a
bad thing as some of Pablo's patches were against the patches that
were merged today.

It does look like Pablo's path to getting per network namespace
netfilter hooks is the best path to a good long term result, for per
network namespace hooks.  I am busily agumenting it with a Kconfig guard
so bisection that disables network namespaces support while netfilter
only works on the initial network namespace.  As otherwise bisection
will be a lost cause.  AKA

	config NET_NS
		depends on !NETFILTER

At the same time it looks like Pablos patches come out cleaner when
rebased on my patchset.

The number of conflicts between the two patchsets is very small
and easily resolved.

So what I am in the processes of doing is reviewing and testing
the combined set of patches and hopefully I will have something
for you soon (tomorrow?).  Unless Pablo has objections.

Right now I am attempting to verify that I have found all of the places
in Pablo's patchset where the patches do not compile on their own, as
there were some silly left-overs.

But overall I think Pablo's patches look good.

Eric
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ