lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sat, 28 Nov 2009 12:36:14 -0500
From:	jamal <>
To:	Patrick McHardy <>
Cc:	KOVACS Krisztian <>,
	KOVACS Krisztian <>,
	Andreas Schultz <>,,
Subject: Re: [tproxy,regression] tproxy broken in 2.6.32

On Sat, 2009-11-28 at 18:07 +0100, Patrick McHardy wrote:

> Right, its source validation. But the setup is valid, its asking for
> specifically marked packets to be delivered locally for transparent
> proxying. There's no requirement that rules using marks must resolve

True, but that requirement is needed for source validation;->
i.e it is source address validation imposing the requirement
that we must have a RTN_UNICAST route. The tproxy iproute setup entered
a route that was not RTN_UNICAST. I think that the packet deserves to be
beaten with a club then dropped hard into an abyss (Feel free to come up
with  something more medievial to do to it Patrick;-> )
It doesnt make sense to have a source address that is not unicast
belonging to a host or pretending to belong to a host.
So i didnt introduce that logic thats causing this pain.
If it worked before it was hack or fluke imo ;-> If we think that
source address validation needs to check for something else
additionally, i think thats a separate topic (but doesnt
seem worth a change)


To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists