| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Mar 2011 07:49:04 +0800 From: Changli Gao <xiaosuo@...il.com> To: Jan Engelhardt <jengelh@...ozas.de> Cc: Patrick McHardy <kaber@...sh.net>, "David S. Miller" <davem@...emloft.net>, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH 1/4] netfilter: xt_connlimit: fix daddr connlimit in SNAT scenario On Tue, Mar 15, 2011 at 3:00 AM, Jan Engelhardt <jengelh@...ozas.de> wrote: > On Monday 2011-03-14 13:42, Changli Gao wrote: > >> >>Yes, you are correct only when there is no SNAT rule. If there is an >>SNAT rule: >> >>-t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to-source 192.168.0.1 >> >>the final tuples will be: >>src = home dst = router src=1.2.3.4 dst=192.168.0.1 >> >>However, the tuple saved by connlimit is src=1.2.3.4 dst=home, so this >>conn will be removed later as there isn't any conntrack, which has >>this tuple in any direction. > > But I don't yet see how your patch #1 can help. At the time > conn->tupleĀ = *tuple is done, *tuple still contains the non-SNATed > tuple, and it is never updated again. > In this patch, conn->addr is used to save the destination/source address instead of conn->tuple.src.u3, so the conn->tuple is used for conntrack lookup only. Just as the original tuple isn't updated, we can use it to looking up the associated conntrack all the time. addr: 192.168.0.1 tuple: src = home, dst = router -- Regards, Changli Gao(xiaosuo@...il.com) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists