| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210930121758.43e1893d@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Date: Thu, 30 Sep 2021 12:17:58 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: Daniel Borkmann <daniel@...earbox.net>,
netfilter-devel@...r.kernel.org, davem@...emloft.net,
netdev@...r.kernel.org, lukas@...ner.de, kadlec@...filter.org,
fw@...len.de, ast@...nel.org, edumazet@...gle.com, tgraf@...g.ch,
nevola@...il.com, john.fastabend@...il.com, willemb@...gle.com
Subject: Re: [PATCH nf-next v5 0/6] Netfilter egress hook
On Thu, 30 Sep 2021 20:00:56 +0200 Pablo Neira Ayuso wrote:
> On Thu, Sep 30, 2021 at 09:06:52AM -0700, Jakub Kicinski wrote:
> > On Thu, 30 Sep 2021 17:13:37 +0200 Pablo Neira Ayuso wrote:
> > > It's just one single bit in this case after all.
> >
> > ??
>
> There are "escape" points such ifb from ingress, where the packets gets
> enqueued and then percpu might not help, it might be fragile to use
> percpu in this case.
You still have to scrub the skb mark at the correct points, otherwise
the ignoring egress may propagate beyond the "paired hook". I don't see
much difference in fragility TBH.
Speaking of ifb, doesn't it have an egress hook? And ingress on the way
out? IMHO the "ignore egress" mark should not survive going thru ifb.
Anyway, that's just my preference. Whatever you, Daniel and Lukas
decide together in the end is fine by me.
Powered by blists - more mailing lists