lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 19 Feb 2018 10:13:35 -0500 (EST)
From:   David Miller <davem@...emloft.net>
To:     fw@...len.de
Cc:     daniel@...earbox.net, laforge@...monks.org, netdev@...r.kernel.org,
        netfilter-devel@...r.kernel.org, alexei.starovoitov@...il.com
Subject: Re: [PATCH RFC 0/4] net: add bpfilter

From: Florian Westphal <fw@...len.de>
Date: Mon, 19 Feb 2018 15:59:35 +0100

> David Miller <davem@...emloft.net> wrote:
>> It also means that the scope of developers who can contribute and work
>> on the translater is much larger.
> 
> How so?  Translator is in userspace in nftables case too?

Florian, first of all, the whole "change the iptables binary" idea is
a non-starter.  For the many reasons I have described in the various
postings I have made today.

It is entirely impractical.

So we are strictly talking about the code we are writing to translate
iptables ABI (in the kernel) into an eBPF based datapath.

Anything designed in that nature must be distributed completely in the
kernel tree, so that the iptables kernel ABI is provided without any
externel dependencies.

We could have done the translater in in the kernel, but instead we are
doing it with a userland component.

And that's what we are talking about.

Thank you.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ