Dmitry Safonov wrote:
> So, here I add a compatible layer to xfrm.
> As xfrm uses netlink notifications, kernel should send them in ABI
> format that an application will parse. The proposed solution is
> to save the ABI of bind() syscall. The realization detail is
> to create kernel-hidden, non vi
Dmitry Safonov wrote:
> 1. It will double copy netlink messages, making it O(n) instead of
> O(1), where n - is number of bind()s.. Probably we don't care much.
About those bind() patches, I don't understand why they are needed.
Why can't you just add the compat skb to the native skb when doing
Dmitry Safonov wrote:
> On Sat, 2018-07-28 at 14:18 -0700, David Miller wrote:
> > From: Dmitry Safonov
> > Date: Sat, 28 Jul 2018 17:26:55 +0100
> >
> > > Well, I think, I'll rework my patches set according to critics and
> > > separate compat xfrm layer. I've already a selftest to check that
>
Richard Guy Briggs wrote:
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 96cabb095eed..5eab4d898c26 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -379,7 +379,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm
> *bprm,
> extern void __audit_
Richard Guy Briggs wrote:
> Align all function declaration parameters with open parenthesis.
Acked-by: Florian Westphal
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
s work as expected.
Acked-by: Florian Westphal
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Richard Guy Briggs wrote:
> Git context diffs were being produced with unhelpful declaration types
> in the place of function names to help identify the funciton in which
> changes were made.
>
> Normalize ebtables function declarations so that git context diff
> function labels work as expected.
Richard Guy Briggs wrote:
> The default policy is NF_ACCEPT (because Rusty didn't want
> more email, go figure...). It occurred to me later that some table
> loads took a command line parameter to be able to change the default
> policy verdict from NF_ACCEPT to NF_DROP. In particular, filter FOR
Richard Guy Briggs wrote:
> iptables, ip6tables, arptables and ebtables table registration,
> replacement and unregistration configuration events are logged for the
> native (legacy) iptables setsockopt api, but not for the
> nftables netlink api which is used by the nft-variant of iptables in
> a
Richard Guy Briggs wrote:
> Well, we are only logging "some change", so is it necessary to log the
> generation count to show that? Is the generation count of specific
> interest?
No, its of no specific interest. I just worded this poorly.
If the generation id increments, then something has bee
Richard Guy Briggs wrote:
> On 2021-02-11 23:09, Florian Westphal wrote:
> > So, if just a summary is needed a single audit_log_nfcfg()
> > after 'step 3' and outside of the list_for_each_entry_safe() is all
> > that is needed.
>
> Ok, so it should not
Richard Guy Briggs wrote:
> On 2021-02-18 09:22, Florian Westphal wrote:
> > No. There is a hierarchy, e.g. you can't add a chain without first
> > adding a table, BUT in case the table was already created by an earlier
> > transaction it can also be stand-alone.
&g
Richard Guy Briggs wrote:
> Ok, can I get one more clarification on this "hierarchy"? Is it roughly
> in the order they appear in nf_tables_commit() after step 3? It appears
> it might be mostly already. If it isn't already, would it be reasonable
> to re-order them? Would you suggest a differ
Richard Guy Briggs wrote:
> > If they appear in a batch tehy will be ignored, if the batch consists of
> > such non-modifying ops only then nf_tables_commit() returns early
> > because the transaction list is empty (nothing to do/change).
>
> Ok, one little inconvenient question: what about GETOB
Richard Guy Briggs wrote:
> nft_commit_notify(net, NETLINK_CB(skb).portid);
> nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
> nf_tables_commit_release(net);
>
> + nf_tables_commit_audit_log(&adl, net->nft.base_seq);
This meeds to be before nf_tables_commit_release() call
7.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
Before:
294953
After:
298013
(alloc/free no longer serializes on spinlock, allocator can use percpu
pool).
Signed-off-by: Florian Westphal
---
kernel/audit.c | 53 -
1 file changed, 8 insertions(+), 45
Richard Guy Briggs wrote:
> > static void audit_buffer_free(struct audit_buffer *ab)
> > {
> > - unsigned long flags;
> > -
> > if (!ab)
> > return;
> >
> > kfree_skb(ab->skb);
> > - spin_lock_irqsave(&audit_freelist_lock, flags);
> > - if (audit_freelist_count > AUDI
Paul Moore wrote:
> On Tue, Nov 15, 2016 at 8:16 AM, Florian Westphal wrote:
> > allows better debugging as freeing audit buffers now always honors slub
> > debug hooks (e.g. object poisoning) and leak checker can detect the
> > free operation.
> >
> > Remova
Paul Moore wrote:
> On Wed, Nov 30, 2016 at 8:44 PM, Florian Westphal wrote:
> > Paul Moore wrote:
> >> On Tue, Nov 15, 2016 at 8:16 AM, Florian Westphal wrote:
> >> > allows better debugging as freeing audit buffers now always honors slub
> >> > de
Richard Guy Briggs wrote:
> Simplify and eliminate flipping in and out of message fields, relying on
> nfmark
> the way we do for audit_key.
>
> +struct nfpkt_par {
> + int ipv;
> + const void *saddr;
> + const void *daddr;
> + u8 proto;
> +};
This is problematic, see below for
Richard Guy Briggs wrote:
> On 2017-02-23 11:57, Paul Moore wrote:
> > On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs
> > wrote:
> > > On 2017-02-23 06:20, Florian Westphal wrote:
> > >> Richard Guy Briggs wrote:
> > >> > Simplify
Richard Guy Briggs wrote:
> > Not following, sorry, are you saying users can/should use -j MARK
> > somehow?
>
> Part of the discussed design and rationale for stripping many of the
> vanishing fields is that when setting up netfilter rules to invoke the
> AUDIT target, an accompanying nf mark sh
Paul Moore wrote:
> On Thu, Feb 23, 2017 at 12:35 PM, Richard Guy Briggs wrote:
> > I had another idea on how to include the sport and dport and that was to
> > use the same identifier for sport/icmptype and also for dport/icmpcode,
> > but you've already said you are not interested.
>
> Not at
Richard Guy Briggs wrote:
> > Perhaps I'm missing something here, but let me ask again, how does
> > userspace distinguish between an unset nfmark and a nfmark of
> > 0x?
>
> It can't.
It can if you log it as 0, as I asked in patch 1 review.
(You wouldn't log sk uid of 0 as -1 either, w
Paul Moore wrote:
> On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal wrote:
> > Richard Guy Briggs wrote:
> >> > Perhaps I'm missing something here, but let me ask again, how does
> >> > userspace distinguish between an unset nfmark and a nfmark of
25 matches
Mail list logo