| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LFD.2.00.1106080913150.1457@ja.ssi.bg> Date: Wed, 8 Jun 2011 09:26:04 +0300 (EEST) From: Julian Anastasov <ja@....bg> To: Patrick McHardy <kaber@...sh.net> cc: Pablo Neira Ayuso <pablo@...filter.org>, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH] netfilter: nf_nat: avoid double nat for loopback Hello, On Wed, 8 Jun 2011, Patrick McHardy wrote: > >> to the IPS_SEQ_ADJUST_BIT case to at least avoid it in some cases. > >> Would that work or am I missing something? > > > > Logically, the new check can be after > > test_bit(IPS_SEQ_ADJUST_BIT, &ct->status). But I suspect > > some modules adjust seqs in the helper->help call, > > for example, sip_help_tcp if I'm correctly reading the > > code. > > Yes, you're right. But it's the only one since it's the only helper > doing possibly many modifications on a single TCP packet, which can't > be handled by the generic code properly. So if you're worried about > performance costs, I'd have no problems adding this check to the SIP > helper. OK, I'm posting new version just for seq adjustment. I'm not fixing sip_help_tcp because I'm not sure what is the right fix, we must be sure that calling sip_help_tcp twice is not a problem. Regards -- Julian Anastasov <ja@....bg> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists