lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Feb 2018 17:14:08 +0100 From: Florian Westphal <fw@...len.de> To: Florian Westphal <fw@...len.de> Cc: Daniel Borkmann <daniel@...earbox.net>, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, davem@...emloft.net, alexei.starovoitov@...il.com Subject: Re: [PATCH RFC 0/4] net: add bpfilter Florian Westphal <fw@...len.de> wrote: > Daniel Borkmann <daniel@...earbox.net> wrote: > Several questions spinning at the moment, I will probably come up with > more: ... and here there are some more ... One of the many pain points of xtables design is the assumption of 'used only by sysadmin'. This has not been true for a very long time, so by now iptables has this userspace lock (yes, its fugly workaround) to serialize concurrent iptables invocations in userspace. AFAIU the translate-in-userspace design now brings back the old problem of different tools overwriting each others iptables rules. Another question -- am i correct in that each rule manipulation would incur a 'recompilation'? Or are there different mini programs chained together? One of the nftables advantages is that (since rule representation in kernel is black-box from userspace point of view) is that the kernel can announce add/delete of rules or elements from nftables sets. Any particular reason why translating iptables rather than nftables (it should be possible to monitor the nftables changes that are announced by kernel and act on those)?
Powered by blists - more mailing lists