| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190903194809.GD13660@breakpoint.cc>
Date: Tue, 3 Sep 2019 21:48:09 +0200
From: Florian Westphal <fw@...len.de>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: Florian Westphal <fw@...len.de>,
Leonardo Bras <leonardo@...ux.ibm.com>,
netfilter-devel@...r.kernel.org, coreteam@...filter.org,
bridge@...ts.linux-foundation.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
Jozsef Kadlecsik <kadlec@...filter.org>,
Roopa Prabhu <roopa@...ulusnetworks.com>,
Nikolay Aleksandrov <nikolay@...ulusnetworks.com>,
"David S. Miller" <davem@...emloft.net>
Subject: Re: [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6
and ipv6 module is disabled
Pablo Neira Ayuso <pablo@...filter.org> wrote:
> > > I was expecting we could find a way to handle this from br_netfilter
> > > alone itself.
> >
> > We can't because we support ipv6 fib lookups from the netdev family
> > as well.
> >
> > Alternative is to auto-accept ipv6 packets from the nf_tables eval loop,
> > but I think its worse.
>
> Could we add a restriction for nf_tables + br_netfilter + !ipv6. I
> mean, if this is an IPv6 packet, nf_tables is on and IPv6 module if
> off, then drop this packet?
We could do that from nft_do_chain_netdev().
Powered by blists - more mailing lists