| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Nov 2009 11:05:32 -0500 From: jamal <hadi@...erus.ca> To: KOVACS Krisztian <hidden@...abit.hu> Cc: Andreas Schultz <aschultz@...p10.net>, tproxy@...ts.balabit.hu, netdev@...r.kernel.org Subject: Re: [tproxy,regression] tproxy broken in 2.6.32 On Fri, 2009-11-27 at 09:26 +0100, KOVACS Krisztian wrote: > Hi, > > On Thu, 2009-11-26 at 18:19 +0100, Andreas Schultz wrote: > > Hi, > > > > git bisect shows that TPROXY has been broken by commit > > f7c6fd2465d8e6f4f89c5d1262da10b4a6d499d0, [PATCH] net: Fix RPF to work > > with policy routing > > > > I had a look at the patch, and it seems logical that this would break TPROXY. > > Indeed, that's a good catch. If this is indeed the problem you should be > able to work it around by disabling rpfilter on the ingress interface. > Does it work that way? Not familiar with tproxy, but I suspect the system doesnt see the mark before policy routing happens. So probably the wrong route cache gets created. Easy to validate by dumping the route cache. If thats so, you have to set the mark in pre-route hook if it uses iptables. cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists