Re: [PATCH] ila: add NETFILTER dependency

From: Pablo Neira Ayuso
Date: Fri Dec 18 2015 - 15:37:27 EST

Next message: Linus Torvalds: "Re: Rethinking sigcontext's xfeatures slightly for PKRU's benefit?"
Previous message: Vegard Nossum: "[PATCH] uml: flush stdout before forking"
In reply to: Florian Westphal: "Re: [PATCH] ila: add NETFILTER dependency"
Next in thread: David Miller: "Re: [PATCH] ila: add NETFILTER dependency"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Dec 18, 2015 at 07:09:31PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > I'm afraid this extra Kconfig dependency that Arnd adds to fix this is
> > a symptom that there is something that doesn't belong there.
> >
> > I overlook this new hook on priority -1, how does this integrate into
> > our infrastructure?
>
> Looks problematic since address changes post ipv6 dnat translations,
> its certainly unexpected for nft since we have magic address mangling
> after -2 and 0 priroized tables...

David indicated that this should be sort of transparent and integrated
into separated infrastructure.

The existing hook will break IPv6 conntrack and NAT for us, and the
extra hook is suboptimal as it

I'd suggest you add a static key and specific hook before netfilter to
deal with this.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Linus Torvalds: "Re: Rethinking sigcontext's xfeatures slightly for PKRU's benefit?"
Previous message: Vegard Nossum: "[PATCH] uml: flush stdout before forking"
In reply to: Florian Westphal: "Re: [PATCH] ila: add NETFILTER dependency"
Next in thread: David Miller: "Re: [PATCH] ila: add NETFILTER dependency"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]