| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJieiUjPvte25P0VOdzYgB34TaLN_veTq3PhRc9yse7REmJaCw@mail.gmail.com>
Date: Tue, 5 Sep 2017 21:04:17 -0700
From: Roopa Prabhu <roopa@...ulusnetworks.com>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: Cong Wang <xiyou.wangcong@...il.com>,
Nikolay Aleksandrov <nikolay@...ulusnetworks.com>,
Linux Kernel Network Developers <netdev@...r.kernel.org>,
David Ahern <dsa@...ulusnetworks.com>,
Jiri Pirko <jiri@...nulli.us>,
Jamal Hadi Salim <jhs@...atatu.com>
Subject: Re: [RFC net-next] net: sch_clsact: add support for global per-netns
classifier mode
On Tue, Sep 5, 2017 at 3:45 PM, Daniel Borkmann <daniel@...earbox.net> wrote:
> On 09/06/2017 12:01 AM, Roopa Prabhu wrote:
>>
>> On Tue, Sep 5, 2017 at 11:18 AM, Cong Wang <xiyou.wangcong@...il.com>
>> wrote:
>>>
>>> On Tue, Sep 5, 2017 at 5:48 AM, Nikolay Aleksandrov
>>> <nikolay@...ulusnetworks.com> wrote:
>>>>
>>>> Hi all,
>>>> This RFC adds a new mode for clsact which designates a device's egress
>>>> classifier as global per netns. The packets that are not classified for
>>>> a particular device will be classified using the global classifier.
>>>> We have needed a global classifier for some time now for various
>>>> purposes and setting the single bridge or loopback/vrf device as the
>
>
> Can you elaborate a bit more on the ... "we have needed a global
> classifier for some time now for various purposes".
Most of our acl's are global or use a wildcard. eg iptables supports
global rules without an dev. We do end up having hundreds of netdevs.
Another use case for the future is use of tc for policy based routing
which requires global rules.
Powered by blists - more mailing lists