lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 02 Mar 2009 12:02:05 +0100
From:	Patrick McHardy <kaber@...sh.net>
To:	Stephen Hemminger <shemminger@...tta.com>
CC:	David Miller <davem@...emloft.net>,
	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH] iptables: new strict host model match

Stephen Hemminger wrote:
> This is a simple little iptables match that can be used to create the Strong
> End System model, that router and other non-Linux customers expect. There
> are management and other applications that use ping and expect to only get
> a response when the interface with that address is up. Normally, a Linux
> system will respond to a packet that arrives for any of the system addresses
> independent of which link it arrives on.
> 
> The module can be used on the INPUT chain like:
> 
> # iptables -P INPUT DROP
> # iptables -A INPUT -m strict -j ACCEPT

The idea makes sense ..

> +static bool strict_mt(const struct sk_buff *skb, const struct xt_match_param *par)
> +{
> +	struct in_device *in_dev;
> +	bool ret;
> +
> +	rcu_read_lock();
> +	in_dev = __in_dev_get_rcu(skb->dev);
> +	ret = (in_dev && inet_addr_onlink(in_dev, ip_hdr(skb)->daddr, 0));
> +	rcu_read_unlock();
> +
> +	return ret;
> +}

I'm not sure this is correct, I think it will only allow communication
with truely on-link addresses, meaning it won't accept routed packets
going to the interface address. Generally I don't think this can be
fully done in iptables since you'd still have to deal with ARP etc.
An IPv4 sysctl might be more appropriate.

Just for the IPv4 packets, I'm wondering if the intended result could
be achieved using the addrtype match. Something like:

-m addrtype --limit-iface-in --dst-type LOCAL

should check whether the destination address is local to the receiving
interface.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists