lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 26 Apr 2019 21:14:40 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Jakub Kicinski <jakub.kicinski@...ronome.com>
Cc:     Jiri Pirko <jiri@...nulli.us>, netfilter-devel@...r.kernel.org,
        davem@...emloft.net, netdev@...r.kernel.org, jiri@...lanox.com,
        john.hurley@...ronome.com, ogerlitz@...lanox.com
Subject: Re: [PATCH net-next,RFC 0/9] net: sched: prepare to reuse per-block
 callbacks from netfilter

On Fri, Apr 26, 2019 at 11:55:12AM -0700, Jakub Kicinski wrote:
> On Fri, 26 Apr 2019 20:41:45 +0200, Pablo Neira Ayuso wrote:
> > If netfilter supports for chain definitions like this:
> > 
> >         table x {
> >                 chain y {
> >                         type filter hook ingress devices = { eth0, eth1 } priority 0;
> >                 }
> >         }
> > 
> > Then the chain 'y' implicitly becomes the block for the 'eth0' and
> > 'eth1' devices.
> 
> Can there be more chains for those devices?  Or those will only run y
> from netfilter perspective?

In software, the existing control plane allows you to register as
many chains as you want, that would allow to include 'eth0' and 'eth1'.
However, But I don't have a usecase for this: One single chain should
be enough given that the ingress hook is only used for filtering. We
are inheriting this semantics from iptables, where multiple tables at
different priorities (which specifies the order) make sense, such as
'raw', 'mangle' and so on. At ingress, these don't make sense and a
single chain with priority 0 should be enough.

In case of hardware offload, I think we should just allow one single
chain at ingress with 'eth0' and 'eth1', just like tc does. Just
return EOPNOTSUPP.

Powered by blists - more mailing lists