lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Thu,  5 Mar 2015 00:52:32 +0100
From:	Florian Westphal <fw@...len.de>
To:	<netfilter-devel@...r.kernel.org>
Cc:	netdev@...r.kernel.org
Subject: [PATCH nf-next 0/8] netfilter: untangle bridge and bridge netfilter

bridge_netfilter.h contains various helpers, some only used by br_netfilter,
others however are also called in bridge or even ip stack.

Lets start untangling bridge, bridge netfilter, and the
rest of the ip stack (esp. ip_fragment).

This changes ip_fragment() so that bridge netfilter
can pass in the required information as arguments instead
of using skb->nf_bridge to pass some extra information to it.

Another problem with br_netfilter and the way its plumbed to
ip/ip6-tables (physdev match) is skb->nf_bridge.

nf_bridge is kmalloced blob with some extra information, including
the bridge in and outports (mainly for iptables' physdev match).
It also has various state bits so we know what manipulations
have been performed by bridge netfilter on the skb (e.g.
ppp header stripping).

nf_bridge also provides scratch space where br_netfilter saves
(and later restores) various things, e.g. ipv4 address for
dnat detection, mac address to fix up ip fragmented skbs, etc.

But in almost all cases we can avoid using ->data completely.

Tested, on host connected to kvm-bridge:
ping -s $bignum $ip_behind_bridge
-j REDIRECT
-j DNAT --to-destination $ip_behind_bridge

 include/linux/netfilter_bridge.h |   86 -------------------------
 include/linux/skbuff.h           |    2 
 include/net/ip.h                 |    8 +-
 net/bridge/br_device.c           |   27 +++++++-
 net/bridge/br_forward.c          |    4 -
 net/bridge/br_netfilter.c        |  131 ++++++++++++++++++++++++++++++---------
 net/ipv4/ip_output.c             |   47 ++++++++-----
 7 files changed, 161 insertions(+), 144 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ