| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Jun 2015 19:26:13 -0500 From: ebiederm@...ssion.com (Eric W. Biederman) To: David Miller <davem@...emloft.net> Cc: netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, stephen@...workplumber.org, jjciarla@...z.uncu.edu.ar, wensong@...ux-vs.org, horms@...ge.net.au, ja@....bg, pablo@...filter.org, kaber@...sh.net, kadlec@...ckhole.kfki.hu, jhs@...atatu.com, steffen.klassert@...unet.com, herbert@...dor.apana.org.au Subject: Re: [PATCH net-next 00/15] Simplify netfilter and network namespaces David Miller <davem@...emloft.net> writes: > From: ebiederm@...ssion.com (Eric W. Biederman) > Date: Sun, 14 Jun 2015 22:07:30 -0500 > >> While looking into what it would take to route packets out to network >> devices in other network namespaces I started looking at the netfilter >> hooks, and there is a lot of nasty code to figure out which network >> namespace to filter the packets in. > > I am assume that you and Pablo are going to look at eachother's > work and decide how to proceed and therefore I'm getting another > series to actually apply at some point in the future. I am busily looking, and being slightly challenged by the fact that the netfilter code is a moving target in net-next. That is not really a bad thing as some of Pablo's patches were against the patches that were merged today. It does look like Pablo's path to getting per network namespace netfilter hooks is the best path to a good long term result, for per network namespace hooks. I am busily agumenting it with a Kconfig guard so bisection that disables network namespaces support while netfilter only works on the initial network namespace. As otherwise bisection will be a lost cause. AKA config NET_NS depends on !NETFILTER At the same time it looks like Pablos patches come out cleaner when rebased on my patchset. The number of conflicts between the two patchsets is very small and easily resolved. So what I am in the processes of doing is reviewing and testing the combined set of patches and hopefully I will have something for you soon (tomorrow?). Unless Pablo has objections. Right now I am attempting to verify that I have found all of the places in Pablo's patchset where the patches do not compile on their own, as there were some silly left-overs. But overall I think Pablo's patches look good. Eric -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists