| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Nov 2009 10:45:57 -0500 From: jamal <hadi@...erus.ca> To: KOVACS Krisztian <hidden@....bme.hu> Cc: KOVACS Krisztian <hidden@...abit.hu>, Andreas Schultz <aschultz@...p10.net>, tproxy@...ts.balabit.hu, netdev@...r.kernel.org Subject: Re: [tproxy,regression] tproxy broken in 2.6.32 On Sat, 2009-11-28 at 16:15 +0100, KOVACS Krisztian wrote: > It's already on prerouting, so that's not the problem. ok. > The problem is that for tproxy to work we've used to have a rule like > this: > > # ip rule add fwmark 1 lookup 100 > > plus a few iptables rules setting mark values. > > The issue is that previously fib_validate_source ignored the mark set on > the skb, and thus when fib_validate_source() did a FIB lookup, it all went > fine, because it found a result of type RTN_UNICAST. Ok, that would be it ;-> > However, with your > change, and because of the ip rule above not being specific enough now > it's returning with type RTN_LOCAL, and that's considered invalid and thus > the skb is dropped. Well, since we are validating a source address - only unicast routes are legitimate imo. i.e it was wrong to allow local before. > > The workaround is using more specific ip rules that include the ingress > interface name: > > # ip rule add dev eth0 fwmark 1 lookup 100 > Or adding routes into table 100 with type "unicast" would do it as well. cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists