From: Florian Westphal <fw@xxxxxxxxx> Date: Thu, 12 Oct 2017 13:14:29 +0200 > Ursula Braun <ubraun@xxxxxxxxxxxxxxxxxx> wrote: >> On 10/11/2017 11:06 PM, David Miller wrote: >> > From: Ursula Braun <ubraun@xxxxxxxxxxxxxxxxxx> >> > Date: Tue, 10 Oct 2017 16:14:19 +0200 >> > >> >> The goal of this patch is to leave common TCP code unmodified. Thus, >> >> it uses netfilter hooks to intercept TCP SYN and SYN/ACK >> >> packets. For outgoing packets originating from SMC sockets, the >> >> experimental option is added. For inbound packets destined for SMC >> >> sockets, the experimental option is checked. >> > >> > I think this really isn't going to pass. >> > >> > It's a user experience nightmare when the kernel inserts and >> > deletes filtering rules outside of what the user configures >> > on their system. > > It depends if the hook is passive or not (i.e. mangles > payload/metadata or returns verdict other than NF_ACCEPT). > > OUTPUT hook added here is not passive as it mangles tcp options. > >> > This approach was also considerd for ipv6 ILA, and the same >> > pushback was given. > > ahem. > net/ipv6/ila/ila_xlat.c: err = nf_register_net_hooks(net, ila_nf_hook_ops, My bad, I thought we had decided against that. Oh well. -- To unsubscribe from this list: send the line "unsubscribe linux-s390" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
