lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20151209.151309.1866782058292162458.davem@davemloft.net>
Date:	Wed, 09 Dec 2015 15:13:09 -0500 (EST)
From:	David Miller <davem@...emloft.net>
To:	dsa@...ulusnetworks.com
Cc:	netdev@...r.kernel.org, shm@...ulusnetworks.com,
	roopa@...ulusnetworks.com
Subject: Re: [PATCH net-next v3] net: Add fib rules at vrf device create

From: David Ahern <dsa@...ulusnetworks.com>
Date: Wed,  9 Dec 2015 09:43:32 -0800

> VRFs require ip rules for route lookups to work properly. Currently
> creating a VRF means instantiating a device and then adding the 4 ip
> and ip6 rules:
> 
>     ip link add vrf-${VRF} type vrf table ${TBID}
>     ip link set vrf-${VRF} up
>     ip ru add oif vrf-${VRF} table ${TBID}
>     ip ru add iif vrf-${VRF} table ${TBID}
>     ip -6 ru add oif vrf-${VRF} table $TBID
>     ip -6 ru add iif vrf-${VRF} table $TBID
> 
> Similarly, cleanup requires deleting the link and removing the FIB rules.
> Since the table is required when the vrf device is created the rules can
> be inserted and deleted automatically lightening the overhead and improving
> the user experience (only the ip link commands are needed).
> 
> The VRF driver will only automatically add and remove FIB rules if
> directed by the user per a new IFLA attribute. This new attribute,
> suggested by Roopa, helps maintain backward compatibility with existing
> users that already manage the fib rules directly.
> 
> Signed-off-by: David Ahern <dsa@...ulusnetworks.com>

David, please stop.

Just accept that you failed to design this from the beginning properly
and we're stuck with people having to run multiple commands.

There is zero value to the new attributes.

No matter what you do, users have to use the full sequence of commands
above in order for things to work with all kernels, _FULL STOP_.

The new attributes make things more complex, because ever _VALID_ tool
much accomodate the existing situation and be able to perform all of
the commands above if they are executed on an older kernel.

So the new attributes make things worse, not better.

I will ignore all further attempts to find schemes automate the rule
and route additions, because it is simply the wrong way forward.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ