lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 17 Oct 2007 11:11:12 +0200
From:	Patrick McHardy <kaber@...sh.net>
To:	panther@...abit.hu
CC:	netdev@...r.kernel.org, netfilter-devel@...r.kernel.org
Subject: Re: [PATCH 2/2] Interface group match - netfilter part

Laszlo Attila Toth wrote:
> Patrick McHardy írta:
>
>> The input interface is only valid in PREROUTING, INPUT and FORWARD.
>> Why don't you support output-interface matching?
>>
> 
> The new version supports output-interface, currently I'm rewriting 
> iptables part. But I'm not sure what to do with the forward chain 
> because both input and output interface are valid here. My idea is that 
> the ifgroup_match function checks ifgroup values of both input and 
> output interfaces if they are set. An example:
> 
> iptables -A FORWARD -m ifgroup --in-ifgroup 4 --out-ifgroup 5/0x0f -j 
> ACCEPT
> 
> The packet's input interface must be in group 4 and output interface 
> must be in group 5 but only lower 4 bits are checked. If one of these 
> assumptions fails the match fails.
> 
> Is it ok, or only one of them should be checked as in xt_policy: if 
> input side matches, other one is not checked?


xt_policy is a special case because the policy structure is so
large I decided the user should better use the match twice if
he really needs it (its also a quite uncommon use). For the
ifgroup match I think it should behave exactly as the -i and -o
matches: allow matching both in FORWARD, input device in
PREROUTING and INPUT and output device in OUTPUT and POSTROUTING.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ