| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAF2d9jga+4uUM1TJeJLz5+t6Dqg2-JNPT-63cp8d74yoto3qAA@mail.gmail.com>
Date: Tue, 29 Nov 2016 09:36:43 -0800
From: Mahesh Bandewar (महेश बंडेवार)
<maheshb@...gle.com>
To: Gao Feng <fgao@...ai8.com>
Cc: David Miller <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
linux-netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH net-next v2 1/1] driver: ipvlan: Use NF_IP_PRI_LAST as
hook priority instead of INT_MAX
On Mon, Nov 28, 2016 at 5:14 PM, Gao Feng <fgao@...ai8.com> wrote:
>
> Hi Mahesh,
>
> On Tue, Nov 29, 2016 at 3:26 AM, Mahesh Bandewar (महेश बंडेवार)
> <maheshb@...gle.com> wrote:
> > On Sun, Nov 27, 2016 at 3:18 AM, <fgao@...ai8.com> wrote:
> >> From: Gao Feng <fgao@...ai8.com>
> >>
> >> It is better to use NF_IP_PRI_LAST instead of INT_MAX as hook priority.
> >> The former is good at readability and easier to maintain.
> >>
> > This IPvlan hook has to be "absolute" last hook and at this moment
> > NF_IP_PRI_LAST is set as INT_MAX so it's not altering anything.
>
> Yes. It is same now.
> So I prefer to use NF_IP_PRI_LAST than INT_MAX.
> Because the nf_hook_ops belongs to the netfilter module. i think the
> ipvlan codes should follow its rule.
> Since netfilter has defined some specific priority enum value, why
> don't we follow it?
>
Making changes only to IPvlan is problem-prone as I have explained earlier.
> >
> > If for whatever reasons the value of NF_IP_PRI_LAST changes, there
> > could be random IPvlan failure. Since that possibility cannot be
> > denied and there are several places INT_MAX is still used as hook
> > priority, I don't see any gain in having this patch in fact there
> > could be future (possible) downside.
>
> If the netfilter module changed the value of NF_IP_PRI_LAST, it may
> decrease it and add one check for the hook priority.
> As a result, the ipvlan may fail to register because of invalid priority.
>
> When use INT_MAX not NF_IP_PRI_LAST, there is one assumption that the
> hook priority is never changed.
> I think it is not good as two different modules.
>
> Regards
> Feng
>
> >
> >> Signed-off-by: Gao Feng <fgao@...ai8.com>
> >> ---
> >> v2: Add the lost header file. It is added in local but not in v1 patch
> >> v1: Inital patch
> >>
> >> drivers/net/ipvlan/ipvlan_main.c | 5 +++--
> >> 1 file changed, 3 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
> >> index ab90b22..01c7446 100644
> >> --- a/drivers/net/ipvlan/ipvlan_main.c
> >> +++ b/drivers/net/ipvlan/ipvlan_main.c
> >> @@ -7,6 +7,7 @@
> >> *
> >> */
> >>
> >> +#include "linux/netfilter_ipv4.h"
> >> #include "ipvlan.h"
> >>
> >> static u32 ipvl_nf_hook_refcnt = 0;
> >> @@ -16,13 +17,13 @@
> >> .hook = ipvlan_nf_input,
> >> .pf = NFPROTO_IPV4,
> >> .hooknum = NF_INET_LOCAL_IN,
> >> - .priority = INT_MAX,
> >> + .priority = NF_IP_PRI_LAST,
> >> },
> >> {
> >> .hook = ipvlan_nf_input,
> >> .pf = NFPROTO_IPV6,
> >> .hooknum = NF_INET_LOCAL_IN,
> >> - .priority = INT_MAX,
> >> + .priority = NF_IP_PRI_LAST,
> >> },
> >> };
> >>
> >> --
> >> 1.9.1
> >>
> >>
>
>
Powered by blists - more mailing lists