lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150626224825.GB28820@electric-eye.fr.zoreil.com>
Date:	Sat, 27 Jun 2015 00:48:25 +0200
From:	Francois Romieu <romieu@...zoreil.com>
To:	Andy Lutomirski <luto@...capital.net>
Cc:	Network Development <netdev@...r.kernel.org>
Subject: Re: Why can't we SNAT (or inverse DNAT) in PREROUTING?

Andy Lutomirski <luto@...capital.net> :
> [re-add netdev -- I assume you meant to reply all]

Thanks. Late friday.

> On Fri, Jun 26, 2015 at 1:32 PM, Francois Romieu <romieu@...zoreil.com> wrote:
> > Andy Lutomirski <luto@...capital.net> :
> > [...]
> >> Could we add some option to do SNAT and inverse DNAT before routing?
> >
> > I haven't used it for ages but what's wrong with iptables + fwmark ?
> >
> > It takes place in PREROUTING.
> 
> This works, but it seems unnecessarily painful.  It means that all of
> my policy rules have to be duplicated with fwmark rules based on '-m
> conntrack' or similar.

I'd rather say that the fwmark rules will duplicate the SNAT rules since
your routing policy depends on the post SNAT source addresses. You'd
be right to complain it does not really help :o)

> Shouldn't the order of operations be:
> 
> 1. Check rp_filter.
> 
> 2. Handle NAT.
> 
> 3. Routing decision.
> 
> ?

The admittedly painful fwmark part would still be needed for pre-NAT
source address based policy routing (assuming SNAT loses valuable policy
information). Life would be easier for your current requirements but
some different policy requirements would be unable to avoid the
fwmark/mangle style stuff.

Btw, the suggested scheme implies that filtering between SNAT and DNAT
would be done before routing, thus without INPUT vs FORWARD tainting.

It may be done but it would be a different beast and I can't help thinking
that routing and filtering would overlap.

-- 
Ueimor
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ