| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAM_iQpUtZZBXQNB+tWJikQNmCHBot3tp7vAsc6+Xnh5H__6++g@mail.gmail.com>
Date: Tue, 13 Jun 2017 09:35:20 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: Florian Westphal <fw@...len.de>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
netfilter-devel@...r.kernel.org,
Linux Kernel Network Developers <netdev@...r.kernel.org>
Subject: Re: [PATCH nf-next] netns: add and use net_ns_barrier
On Mon, Jun 12, 2017 at 11:16 PM, Florian Westphal <fw@...len.de> wrote:
> Cong Wang <xiyou.wangcong@...il.com> wrote:
>> On Thu, Jun 1, 2017 at 1:52 AM, Florian Westphal <fw@...len.de> wrote:
>> > Joe described it nicely, problem is that after unload we may have
>> > conntracks that still have a nf_conn_help extension attached that
>> > has a pointer to a structure that resided in the (unloaded) module.
>>
>> Why not hold a refcnt for its module?
>
> That would work as well.
>
> I'm not sure its nice to disallow rmmod of helper modules if they are
> used by a connection however.
I am _not_ suggesting to disallow rmmod.
>
> Right now you can "rmmod nf_conntrack_foo" at any time and this should
> work just fine without first having to flush affected conntracks
> manually.
My point is that since netns wq could invoke code of that module,
why it doesn't hold a refcnt of that module?
I am not familiar with netfilter code base so not sure if that is
hard to do or not, but it looks more elegant than this barrier.
Powered by blists - more mailing lists