lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 27 Nov 2009 11:05:32 -0500
From:	jamal <hadi@...erus.ca>
To:	KOVACS Krisztian <hidden@...abit.hu>
Cc:	Andreas Schultz <aschultz@...p10.net>, tproxy@...ts.balabit.hu,
	netdev@...r.kernel.org
Subject: Re: [tproxy,regression] tproxy broken in 2.6.32

On Fri, 2009-11-27 at 09:26 +0100, KOVACS Krisztian wrote:
> Hi,
> 
> On Thu, 2009-11-26 at 18:19 +0100, Andreas Schultz wrote:
> > Hi,
> > 
> > git bisect shows that TPROXY has been broken by commit
> > f7c6fd2465d8e6f4f89c5d1262da10b4a6d499d0, [PATCH] net: Fix RPF to work
> > with policy routing
> > 
> > I had a look at the patch, and it seems logical that this would break TPROXY.
> 
> Indeed, that's a good catch. If this is indeed the problem you should be
> able to work it around by disabling rpfilter on the ingress interface.
> Does it work that way?

Not familiar with tproxy, but I suspect the system doesnt see the mark
before policy routing happens. So probably the wrong route cache gets
created. Easy to validate by dumping the route cache.
If thats so, you have to set the mark in pre-route hook if it uses
iptables.

cheers,
jamal


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists