lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 01 Apr 2010 16:03:02 +0200 From: Patrick McHardy <kaber@...sh.net> To: Jan Engelhardt <jengelh@...ozas.de> CC: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH 5/5] netfilter: xt_TEE: have cloned packet travel through Xtables too Jan Engelhardt wrote: > On Thursday 2010-04-01 15:48, Patrick McHardy wrote: >> Jan Engelhardt wrote: >>> On Thursday 2010-04-01 15:22, Patrick McHardy wrote: >>>>>>> Conntrack loops are prevented by using a dummy conntrack, just as >>>>>>> NOTRACK does. >>>>>> [...] >>>>>>> - When the cloned packets gets XFRMed or tunneled, its status switches >>>>>>> from "special" to "plain". Doing policy routing on them does not seem >>>>>>> so far-fetched. >>>>>> My question was about the case without conntrack. >>>>> Hm. Do you have any suggestion in countering a case whereby a user >>>>> does -I OUTPUT -j TEE without conntrack? >>>>> >>>>> Perhaps making nesting a feature that requires conntrack, such that the >>>>> non-CT case can't loop? >>>> If we drop the reentrancy thing, what should work is to prevent >>>> using loopback as output device and using something similar to >>>> the recursion counters tunnel devices used to have. >>> Nah. I'm going to pick a bit from struct skbuff to indicate the >>> packet was teed so as to avoid that loop. >> That's a bad idea, we shouldn't be adding new skb members for something >> as peripheral as this module. > > I would have done this, which does not add a member: > > IP6CB(skb)->flags |= IPSKB_CLONED; This doesn't work, the CB is not preserved across layers (which f.i. matters if you allow loopback destinations). Its also not preserved for clones. >> What's wrong with adding a reentrancy counter? > > Sounds like a plan. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists