| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 26 Apr 2019 21:14:40 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Jakub Kicinski <jakub.kicinski@...ronome.com>
Cc: Jiri Pirko <jiri@...nulli.us>, netfilter-devel@...r.kernel.org,
davem@...emloft.net, netdev@...r.kernel.org, jiri@...lanox.com,
john.hurley@...ronome.com, ogerlitz@...lanox.com
Subject: Re: [PATCH net-next,RFC 0/9] net: sched: prepare to reuse per-block
callbacks from netfilter
On Fri, Apr 26, 2019 at 11:55:12AM -0700, Jakub Kicinski wrote:
> On Fri, 26 Apr 2019 20:41:45 +0200, Pablo Neira Ayuso wrote:
> > If netfilter supports for chain definitions like this:
> >
> > table x {
> > chain y {
> > type filter hook ingress devices = { eth0, eth1 } priority 0;
> > }
> > }
> >
> > Then the chain 'y' implicitly becomes the block for the 'eth0' and
> > 'eth1' devices.
>
> Can there be more chains for those devices? Or those will only run y
> from netfilter perspective?
In software, the existing control plane allows you to register as
many chains as you want, that would allow to include 'eth0' and 'eth1'.
However, But I don't have a usecase for this: One single chain should
be enough given that the ingress hook is only used for filtering. We
are inheriting this semantics from iptables, where multiple tables at
different priorities (which specifies the order) make sense, such as
'raw', 'mangle' and so on. At ingress, these don't make sense and a
single chain with priority 0 should be enough.
In case of hardware offload, I think we should just allow one single
chain at ingress with 'eth0' and 'eth1', just like tc does. Just
return EOPNOTSUPP.
Powered by blists - more mailing lists