lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5AB132C5.5010806@ORACLE.COM>
Date:   Tue, 20 Mar 2018 18:11:49 +0200
From:   Liran Alon <LIRAN.ALON@...CLE.COM>
To:     David Miller <davem@...emloft.net>
CC:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        idan.brown@...CLE.COM, yuval.shaia@...CLE.COM
Subject: Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info
 only when crossing netns



On 20/03/18 18:00, David Miller wrote:
> From: Liran Alon <LIRAN.ALON@...CLE.COM>
> Date: Tue, 20 Mar 2018 17:34:38 +0200
>
>> I personally don't understand why we should maintain
>> backwards-comparability to this behaviour.
>
> The reason is because not breaking things is a cornerstone of Linux
> kernel development.
>
>> This feature is not documented to user-mode and I don't see why it
>> is legit for the user to rely on it.
>
> Whether it is documented or not is irrelevant.  A lot of our
> interfaces and behaviors are not documented or poorly documented
> at best.
>
>> In addition, even if we do want to maintain backwards-comparability to
>> this behaviour, I think it is enough to have an opt-in flag in
>> /proc/sys/net/core/ that when set to 1 will activate the fix in
>> dev_forward_skb() provided by this patch. That would also be a very
>> simple change to the patch provided here.
>
> Making it opt-in makes it more palatable, that's for sure.
>

1. Do we want to make a flag for every bug that is user-space visible? I 
think there is place for consideration on a per-case basis. I still 
don't see how a user can utilize this behaviour. He is basically loosing 
information (skb->mark) without this patch.

2. Having said that, I don't mind changing patch to maintain backwards 
compatibility here. However, there was also a discussion here on where 
the flag should sit. I think that a global /proc/sys/net/core/ flag 
should be enough. Do you agree it's sufficient for now?

Thanks,
-Liran

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ