| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+6hz4qXYzC-mEfTqa5HOf9GtL1S1Q=rcz_CtFW5mbvUtj7niA@mail.gmail.com>
Date: Tue, 29 Nov 2016 09:14:45 +0800
From: Gao Feng <fgao@...ai8.com>
To: Mahesh Bandewar (महेश बंडेवार)
<maheshb@...gle.com>
Cc: David Miller <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
linux-netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH net-next v2 1/1] driver: ipvlan: Use NF_IP_PRI_LAST as
hook priority instead of INT_MAX
Hi Mahesh,
On Tue, Nov 29, 2016 at 3:26 AM, Mahesh Bandewar (महेश बंडेवार)
<maheshb@...gle.com> wrote:
> On Sun, Nov 27, 2016 at 3:18 AM, <fgao@...ai8.com> wrote:
>> From: Gao Feng <fgao@...ai8.com>
>>
>> It is better to use NF_IP_PRI_LAST instead of INT_MAX as hook priority.
>> The former is good at readability and easier to maintain.
>>
> This IPvlan hook has to be "absolute" last hook and at this moment
> NF_IP_PRI_LAST is set as INT_MAX so it's not altering anything.
Yes. It is same now.
So I prefer to use NF_IP_PRI_LAST than INT_MAX.
Because the nf_hook_ops belongs to the netfilter module. i think the
ipvlan codes should follow its rule.
Since netfilter has defined some specific priority enum value, why
don't we follow it?
>
> If for whatever reasons the value of NF_IP_PRI_LAST changes, there
> could be random IPvlan failure. Since that possibility cannot be
> denied and there are several places INT_MAX is still used as hook
> priority, I don't see any gain in having this patch in fact there
> could be future (possible) downside.
If the netfilter module changed the value of NF_IP_PRI_LAST, it may
decrease it and add one check for the hook priority.
As a result, the ipvlan may fail to register because of invalid priority.
When use INT_MAX not NF_IP_PRI_LAST, there is one assumption that the
hook priority is never changed.
I think it is not good as two different modules.
Regards
Feng
>
>> Signed-off-by: Gao Feng <fgao@...ai8.com>
>> ---
>> v2: Add the lost header file. It is added in local but not in v1 patch
>> v1: Inital patch
>>
>> drivers/net/ipvlan/ipvlan_main.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
>> index ab90b22..01c7446 100644
>> --- a/drivers/net/ipvlan/ipvlan_main.c
>> +++ b/drivers/net/ipvlan/ipvlan_main.c
>> @@ -7,6 +7,7 @@
>> *
>> */
>>
>> +#include "linux/netfilter_ipv4.h"
>> #include "ipvlan.h"
>>
>> static u32 ipvl_nf_hook_refcnt = 0;
>> @@ -16,13 +17,13 @@
>> .hook = ipvlan_nf_input,
>> .pf = NFPROTO_IPV4,
>> .hooknum = NF_INET_LOCAL_IN,
>> - .priority = INT_MAX,
>> + .priority = NF_IP_PRI_LAST,
>> },
>> {
>> .hook = ipvlan_nf_input,
>> .pf = NFPROTO_IPV6,
>> .hooknum = NF_INET_LOCAL_IN,
>> - .priority = INT_MAX,
>> + .priority = NF_IP_PRI_LAST,
>> },
>> };
>>
>> --
>> 1.9.1
>>
>>
Powered by blists - more mailing lists