lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20160313.215033.17951850162749485.davem@davemloft.net>
Date:	Sun, 13 Mar 2016 21:50:33 -0400 (EDT)
From:	David Miller <davem@...emloft.net>
To:	mahesh@...dewar.net
Cc:	maheshb@...gle.com, edumazet@...gle.com, netdev@...r.kernel.org
Subject: Re: [PATCH next v2 0/7] Introduce l3_dev pointer for L3 processing

From: Mahesh Bandewar <mahesh@...dewar.net>
Date: Wed,  9 Mar 2016 13:49:49 -0800

> This does happen as expected for egress traffic however on ingress
> traffic, the IPvlan packet-handler changes the skb->dev and this
> forces packet to be processed with the IPvlan slave and it's
> associated ns. This causes above mentioned problem and few other
> which are not yet reported / attempted. e.g.  IPsec with L3 mode or
> even ingress routing.

And now your changes make it so that we can't run netfilter rules on
the slave's device within the slave's ns.

If someone is doing that now you're breaking things for them.

It doesn't matter whether doing so or not makes sense.

You're going to have to find a way to do both, and also I'm concerned
about how you're leaking the source namespace's "stuff" into the
destination's.  That's very worrisome to me.

There is no way I'm applying this as-is, sorry.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ