lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 28 Jan 2018 19:22:12 -0800
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     Eyal Birger <eyal.birger@...il.com>
Cc:     Pablo Neira Ayuso <pablo@...filter.org>,
        David Miller <davem@...emloft.net>,
        Jamal Hadi Salim <jhs@...atatu.com>,
        Linux Kernel Network Developers <netdev@...r.kernel.org>,
        shmulik@...anetworks.com, Eyal Birger <eyal@...anetworks.com>
Subject: Re: [PATCH net-next,v2 2/2] net: sched: add em_ipt ematch for calling
 xtables matches

On Fri, Jan 26, 2018 at 11:57 AM, Eyal Birger <eyal.birger@...il.com> wrote:
> On Fri, Jan 26, 2018 at 8:50 PM, Pablo Neira Ayuso <pablo@...filter.org> wrote:
>> Isn't there a way to reject the use of this from ->change()? ie. from
>> control plane configuration.
>
> I wasn't able to find a simple way of doing so:
>
> - AFAIU tc filters are detached from the qdiscs they operate on via
> tcf_block instances
>   that may be shared by different qdiscs. I was not able to be sure that filters
>   attached to ingress qdiscs via tcf_blocks at configuration time
> cannot be later be shared
>   with non ingress qdiscs. Nor was I able to find another classifier
> making the ingress/egress
>   distinction at configuration time.
>
> - ematches are not provided with 'ingress/egress' information at
> 'change()' invocation, though
>   of course the infrastructure could be extended to provide this,
> given the distinction is available.
>

In the past you can check tp->q, but now we support shared tc filter
block, so it is hard. I think your v1 is okay, which just silently passes
the match on egress side. Or maybe we can just add a pr_info()
unconditionally in em_ipt_change() saying only ingress is supported.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ