lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Mon, 29 Feb 2016 14:08:04 -0800
From:	Mahesh Bandewar <mahesh@...dewar.net>
To:	David Miller <davem@...emloft.net>
Cc:	Mahesh Bandewar <maheshb@...gle.com>,
	Eric Dumazet <edumazet@...gle.com>,
	netdev <netdev@...r.kernel.org>
Subject: [PATCH next 0/3] IPvlan L3 symetric mode

From: Mahesh Bandewar <maheshb@...gle.com>

One of the major request (for enhancement) that I have received
from various users of IPvlan in L3 mode is its inability to handle
IPtables.

In a typical IPvlan L3 setup where master is in default-ns and 
each slave is into different (slave) ns. In this setup egress
packet processing for traffic originating from slave-ns will
hit all NF_HOOKs in slave-ns as well as default-ns. However same
is not true for ingress processing. All these NF_HOOKs are
hit only in the slave-ns skipping them in the default-ns.
IPvlan in L3 mode is restrictive and it's preferred to hit these
hooks in master's ns than in slave's ns (L2 mode is where these
hooks will be hit only in slave's ns).

This can be achieved by adding a device pointer in net_device
struct. Stack will use this device reference and associated ns
for all egress L3 processing. By default this is initialized to
self so skb->dev would be same as skb->dev->l3_dev and hence the
normal path will stay unchanged. Also since l3_dev is in the
same RX cache line, there should not be any additional cost.

IPvlan slaves OTOH can assign (nominate) its master to its l3_dev
so that L3 processing happens in master's ns

Please check individual patches for the details.

Mahesh Bandewar (3):
  dev: Add netif_get_l3_dev() helper
  ipvlan: Use netif_get_l3_dev() to implement L3-symmetric mode.
  net: update L3 path with device selection logic

 drivers/net/ipvlan/ipvlan_main.c | 16 +++++++++-------
 include/linux/netdevice.h        |  6 ++++++
 net/core/dev.c                   | 10 +++++++---
 net/ipv4/ip_input.c              |  5 +++--
 net/ipv6/ip6_input.c             |  5 +++--
 5 files changed, 28 insertions(+), 14 deletions(-)

-- 
2.7.0.rc3.207.g0ac5344

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ