| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Aug 2010 06:39:42 +0800 From: Changli Gao <xiaosuo@...il.com> To: Herbert Xu <herbert@...dor.apana.org.au> Cc: Patrick McHardy <kaber@...sh.net>, Stephen Hemminger <shemminger@...tta.com>, netdev@...r.kernel.org Subject: Re: Yet another bridge netfilter crash On Tue, Aug 10, 2010 at 5:42 AM, Herbert Xu <herbert@...dor.apana.org.au> wrote: > On Wed, Aug 04, 2010 at 06:50:50PM +0200, Patrick McHardy wrote: > . >> >> Until we come up with something better the best fix seems to >> >> be to perform the device lookup based on the iif. >> > >> > I don't think we can as the iif will point to the bridge device. >> > The physindev contains the original physical device where the >> > packet came in. >> >> If it originally points to the bridge device, there doesn't >> seem anything wrong with the device pointing to the bridge >> device after reassembly. Am I missing something? > > It's there so that netfilter rules can filter based on the original > inbound interface. > > If you set it to the bridge then those rules won't work anymore. > How about always using the skb->nf_bridge of the skb last received in a defrag queue as the nf_bridge of the final defraged skb? I have posted a patch doing such thing. http://patchwork.ozlabs.org/patch/60904/ Thanks. -- Regards, Changli Gao(xiaosuo@...il.com) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists