| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20160313.215033.17951850162749485.davem@davemloft.net> Date: Sun, 13 Mar 2016 21:50:33 -0400 (EDT) From: David Miller <davem@...emloft.net> To: mahesh@...dewar.net Cc: maheshb@...gle.com, edumazet@...gle.com, netdev@...r.kernel.org Subject: Re: [PATCH next v2 0/7] Introduce l3_dev pointer for L3 processing From: Mahesh Bandewar <mahesh@...dewar.net> Date: Wed, 9 Mar 2016 13:49:49 -0800 > This does happen as expected for egress traffic however on ingress > traffic, the IPvlan packet-handler changes the skb->dev and this > forces packet to be processed with the IPvlan slave and it's > associated ns. This causes above mentioned problem and few other > which are not yet reported / attempted. e.g. IPsec with L3 mode or > even ingress routing. And now your changes make it so that we can't run netfilter rules on the slave's device within the slave's ns. If someone is doing that now you're breaking things for them. It doesn't matter whether doing so or not makes sense. You're going to have to find a way to do both, and also I'm concerned about how you're leaking the source namespace's "stuff" into the destination's. That's very worrisome to me. There is no way I'm applying this as-is, sorry.
Powered by blists - more mailing lists