lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200401290159.i0T1xcmC028730@caligula.anu.edu.au>
From: avalon at caligula.anu.edu.au (Darren Reed)
Subject: ipfilter port to linux

In some mail from Ian Latter, sie said:
> 
> > If anyone is currently working on this I'd like to hear from them. 
> 
> I thought the ANU guys had made an ipfilter port to linux at about

Heh.  That's a funny categorisation of people :)

> (linux) kernel 2.0 (it was an option against ipfwadm) .. but I have
> just done a quick search and I can't see any reference to that.

FWIW, I've recommended work on that and it is about 80% there, I think.
I was working with 2.4.18-20 or whatever comes with RedHat 9.0.  I've
not yet tried 2.6 but it should not be a lot of work since I've adapted
my code to use the netfilter interface.  So having done the ground work
of being (AFAIK :) the first outside of the core linux community to do
such a task, I'm sure others can now copy and follow...

If you're interested in progress, you can download current source from:
http://coombs.anu.edu.au/~avalon/ipf40beta5.tar.gz

The 20% that I'm not sure about involves ipfilter generating packets
and doing things like trying to determine if a packet has a spoofed
source address based on routing tables or generate packets itself -
the problem here is in trying to find the right Linux kernel API to use,
if at all possible.  While it might be open source and all, it's
preferable for users to not have to patch linux kernel source (building
a kernel module for Linux and having it "just work" is nowhere near
as easy as *ANY* other Un*x platform I target.)  Now if someone wanted
a *real* 2.7 feature to add to linux, it'd be supporting building a
kernel module without requiring /usr/src/linux to be present...but I
can hear the screams already telling me why that's such a bad idea :)

Darren


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ