lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20171012.230634.24414822731374394.davem@davemloft.net>
Date:   Thu, 12 Oct 2017 23:06:34 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     fw@...len.de
Cc:     ubraun@...ux.vnet.ibm.com, netdev@...r.kernel.org,
        linux-s390@...r.kernel.org, jwi@...ux.vnet.ibm.com,
        schwidefsky@...ibm.com, heiko.carstens@...ibm.com,
        raspl@...ux.vnet.ibm.com, hwippel@...ux.vnet.ibm.com
Subject: Re: [PATCH net-next 1/1] net/smc: add SMC rendezvous protocol

From: Florian Westphal <fw@...len.de>
Date: Thu, 12 Oct 2017 13:14:29 +0200

> Ursula Braun <ubraun@...ux.vnet.ibm.com> wrote:
>> On 10/11/2017 11:06 PM, David Miller wrote:
>> > From: Ursula Braun <ubraun@...ux.vnet.ibm.com>
>> > Date: Tue, 10 Oct 2017 16:14:19 +0200
>> > 
>> >> The goal of this patch is to leave common TCP code unmodified. Thus,
>> >> it uses netfilter hooks to intercept TCP SYN and SYN/ACK
>> >> packets. For outgoing packets originating from SMC sockets, the
>> >> experimental option is added. For inbound packets destined for SMC
>> >> sockets, the experimental option is checked.
>> > 
>> > I think this really isn't going to pass.
>> > 
>> > It's a user experience nightmare when the kernel inserts and
>> > deletes filtering rules outside of what the user configures
>> > on their system.
> 
> It depends if the hook is passive or not (i.e. mangles
> payload/metadata or returns verdict other than NF_ACCEPT).
> 
> OUTPUT hook added here is not passive as it mangles tcp options.
> 
>> > This approach was also considerd for ipv6 ILA, and the same
>> > pushback was given.
> 
> ahem.
> net/ipv6/ila/ila_xlat.c:   err = nf_register_net_hooks(net, ila_nf_hook_ops,

My bad, I thought we had decided against that.

Oh well.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ