lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1259585129.3992.13.camel@nienna.balabit>
Date:	Mon, 30 Nov 2009 13:45:29 +0100
From:	KOVACS Krisztian <hidden@...abit.hu>
To:	hadi@...erus.ca
Cc:	KOVACS Krisztian <hidden@....bme.hu>,
	Patrick McHardy <kaber@...sh.net>,
	Andreas Schultz <aschultz@...p10.net>, tproxy@...ts.balabit.hu,
	netdev@...r.kernel.org
Subject: Re: [tproxy,regression] tproxy broken in 2.6.32

Hi,

On Mon, 2009-11-30 at 07:15 -0500, jamal wrote:
> On Sun, 2009-11-29 at 21:35 +0100, KOVACS Krisztian wrote:
> 
> > The story is that we really do want to deliver these packets locally, as
> > if the destination IP address was locally configured on the host. The only
> > way I know of to get the packet to ip_local_deliver() is by using a local
> > route.
> 
> Aha, now i understand where both you and Patrick are coming from. So
> you literally have to hit the main(or default) table in the reverse
> source validation. How does the workaround (that you suggested) work
> then? i.e you are going to fail the RTN_UNICAST test no matter what.

No, because by narrowing the rule to specific ingress interfaces the
lookup done in fib_validate_source() won't match the rule(s) (because
the flow used will have iif set to the loopback device), and thus it
will look up the main table and select a unicast route.

> Dave, give me some short time to mull this over. I am not sure i like
> the sysctl approach - we may have to just revert the whole thing
> instead.

I don't think it would be unreasonable to add a sysctl but disable the
feature by default. It's up to you, of course.

Cheers,
Krisztian

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ