| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LSU.2.01.1004011258060.17429@obet.zrqbmnf.qr> Date: Thu, 1 Apr 2010 13:03:49 +0200 (CEST) From: Jan Engelhardt <jengelh@...ozas.de> To: Patrick McHardy <kaber@...sh.net> cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH 5/5] netfilter: xt_TEE: have cloned packet travel through Xtables too On Thursday 2010-04-01 12:37, Patrick McHardy wrote: >Jan Engelhardt wrote: >> Since Xtables is now reentrant/nestable, the cloned packet can also go >> through Xtables and be subject to rules itself. > >That sounds dangerous if conntrack isn't used to prevent loops. Conntrack loops are prevented by using a dummy conntrack, just as NOTRACK does. >Is that really useful? For filtering, you can simply apply the >rules before deciding to TEE the packet. I can think of a handful of applications: - CLASSIFY - When the cloned packets gets XFRMed or tunneled, its status switches from "special" to "plain". Doing policy routing on them does not seem so far-fetched. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists