| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Mar 2015 17:21:21 +0100 From: Daniel Mack <daniel@...que.org> To: Florian Westphal <fw@...len.de> CC: Daniel Borkmann <dborkman@...hat.com>, Alexey Perevalov <a.perevalov@...sung.com>, Pablo Neira Ayuso <pablo@...filter.org>, netdev <netdev@...r.kernel.org> Subject: Re: cgroup matches in INPUT chain On 03/20/2015 05:11 PM, Florian Westphal wrote: > Daniel Mack <daniel@...que.org> wrote: >> In my simple test setup, when skbs are dequeued by process_backlog(), >> they have skb->_skb_refdst set, and hence ip_rcv_finish() does not call >> into early_demux() prior to iterating the INPUT chain: > > Yes, because we already have a route set. > > Are we talking about loopback? I'm testing this on the lookback device, but I've seen similar behavior on external interfaces too. However, I fail to see a pattern in that. > What are you trying to do? Basically, I have a simple server that listens to a TCP port, accepts a connection, writes out a short string and closes the connection again. The process is put into a netcls cgroup controller, and a classid is assigned to it, and I'm trying catch all traffic sent to it (regardless of the interface in use) with a netfilter rule. However, that doesn't work, because under the described circumstances, the match callback of the cgroup netfilter module is always called with an skb that has no sk set. Thanks for your help! Daniel -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists