| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Oct 2007 16:18:51 +0300 From: Al Boldi <a1426z@...ab.com> To: Patrick McHardy <kaber@...sh.net> Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [RFD] iptables: mangle table obsoletes filter table Patrick McHardy wrote: > Al Boldi wrote: > >>>The problem is that people think they are safe with the filter table, > >>>when in fact they need the prerouting chain to seal things. Right now > >>>this is only possible in the mangle table. > >> > >>Why do they need PREROUTING? > > > > Well, for example to stop any transient packets being forwarded. You > > could probably hack around this using mark's, but you can't stop the > > implied route lookup, unless you stop it in prerouting. > > This also works fine in FORWARD with a little extra overhead. > If you really have to save resources, you should use PREROUTING/raw > to also avoid the creation of a connection tracking entry. Yes sure, if you use nat. But can you see how forcing people into splitting their rules across tables adds complexity. And without ipt_REJECT patch, they can't even use REJECT in prerouting, which forces them to do some strange hacks. IMHO, we should make things as easily configurable as possible, and as things stand right now, the filter-table is completely useless for 99% of use-cases. Thanks! -- Al - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists