| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAM_iQpXiHOarvPHweT+=bRmztU0VeNQhUgHw7B7qbwndJ0NBUg@mail.gmail.com>
Date: Tue, 13 Jun 2017 14:16:28 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: Florian Westphal <fw@...len.de>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
netfilter-devel@...r.kernel.org,
Linux Kernel Network Developers <netdev@...r.kernel.org>
Subject: Re: [PATCH nf-next] netns: add and use net_ns_barrier
On Tue, Jun 13, 2017 at 11:07 AM, Florian Westphal <fw@...len.de> wrote:
> Historically it wasn't needed because we just clear out the helper area
> in the affected conntracks (i.e, future packets are not inspected by
> the helper anymore).
>
> When conntracks were made per-netns this problem was added as we're not
> guaranteed to see all net namespace because module_exit and netns cleanup
> can run concurrently.
>
> We can still use the "old" model if we guarantee that we wait for
> netns cleanup to finish (which is what this patch does).
>
> The alternative, as you pointed out, is to take a module reference for
> each conntrack that uses the helper (and put again when connection is
> destroyed).
Yeah, this is exactly what I am suggesting and I fully expect this could
need more work than this barrier.
>
> I don't really care that much except that if we go for the latter
> solution users cannot "just rmmod" the module anymore but might have
> to manually remove the affected connections first.
This is not bad because the module is indeed being used in this scenario
so EBUSY is expected, or do we need to guarantee conntrack modules
are not held by existing connections?
Powered by blists - more mailing lists