Re: [nf-next PATCH] netfilter: nf_tables: Support updating table's owner flag

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Eric Garver <eric@xxxxxxxxxxx> wrote:
> On Wed, Dec 13, 2023 at 01:13:54PM +0100, Phil Sutter wrote:
> > Hi,
> > 
> > On Tue, Dec 12, 2023 at 05:47:22PM -0500, Eric Garver wrote:
> > > I'm not concerned with optimizing for the crash case. We wouldn't be
> > > able to make any assumptions about the state of nftables. The only safe
> > > option is to flush and reload all the rules.
> > 
> > The problem with crashes is tables with owner flag set will vanish,
> > leaving the system without a firewall.
> I'd rather see the daemon be automatically restarted. After a crash you
> still have a flush + re-apply on daemon restart. Avoiding the cleanup
> due to table owner flag only shortens the window.

But the filter rules are gone for a short time, leaving e.g. an
ipv6 network we're routing for wide open.

Same for any exposed containers or VMs.
So I'd say as-is the owner flag is harmful for filtering.

I'm fine with adding a flag that keeps the orphaned table around
and allows to (re)take ownership.

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux