| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <499C3E34.7080405@trash.net> Date: Wed, 18 Feb 2009 17:58:28 +0100 From: Patrick McHardy <kaber@...sh.net> To: Alan Stern <stern@...land.harvard.edu> CC: netdev@...r.kernel.org, Kernel development list <linux-kernel@...r.kernel.org> Subject: Re: [BUG] SNAT sometimes allows packets to pass through unchanged Alan Stern wrote: > On Mon, 16 Feb 2009, Patrick McHardy wrote: > >> The NAT table only sees the first packet of every connection >> and never INVALID packets. The mangle table should work fine. > > I ended up adding a rule to the FORWARD chain of the filter table. > The trick was to select based on the state. That worked; it saw all > those un-NATed packets and was able to eliminate them. In case you're > curious, the rule was essentially this: > > iptables -A FORWARD -o eth1 -s 10.0.0.0/8 -m state --state INVALID -j DROP > > Ideally, the rule should select all the packets which haven't been > altered by SNAT, not just the ones marked INVALID. Is there any way to > do this? Not in the sense that you could somehow catch valid packets "missed" by SNAT, that would be a bug. The conntrack match supports matching on whether the state says that a packet should be NATed. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists