lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <3512771A-B2D4-48F5-90A6-AF0FAA1633D5@elte.hu>
Date:	Thu, 30 Apr 2009 22:26:24 +0200
From:	Tóth László Attila <panther@...e.hu>
To:	David Miller <davem@...emloft.net>
Cc:	panther@...abit.hu, kaber@...sh.net, mingo@...e.hu,
	netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
	hidden@....bme.hu, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] xt_socket: checks for the state of nf_conntrack

Hi Dave,

On 2009.04.30., at 18:39, David Miller wrote:

> From: Laszlo Attila Toth <panther@...abit.hu>
> Date: Thu, 30 Apr 2009 17:35:55 +0200
>
>> xt_socket can use connection tracking, and checks whether it is a  
>> module.
>>
>> Signed-off-by: Laszlo Attila Toth <panther@...abit.hu>
>
> I don't understand why we want what this is doing....
>

Most of the time the source / destination addresses and ports of the  
packet are enough to lookup the corresponding socket. With the SNAT  
target this kind of lookup is broken. The socket match is in the  
mangle table, before nat, thus it can see only the destination address  
set by the SNAT target (this is the reply direction). If we want to  
support SNAT, we need nf_conntrack.  But this is optional, if  
connection tracking is not in the kernel, the socket match will  
compiled without it....

>> +	depends on !NF_CONNTRACK || NF_CONNTRACK
>
> This means that if NF_CONNTRACK is modular, it won't allow
> the xt_socket code to be built.
>

I checked that if NF_.CONNTRACK is disabled, the socket match will be  
allowed to be built either into a module, or into vmlinuz. If  
NF_CONNTRACK is "y", it is exactly the same. If NF_CONNTRACK=m, the  
socket match can only be a module.

> However, all of this stuff should be buildable modular.

--
Attila--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ