| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150714113531.GD25674@breakpoint.cc> Date: Tue, 14 Jul 2015 13:35:31 +0200 From: Florian Westphal <fw@...len.de> To: "Yigal Reiss (yreiss)" <yreiss@...co.com> Cc: "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: Re: [PATCH] brouted packet identified as PACKET_OTHERHOST blocked by higher protocol Yigal Reiss (yreiss) <yreiss@...co.com> wrote: > > No, thats not the problem you're trying to solve. > > > > If you want to move OTHERHOST skbs, don't (b)route them? > > > > Whats the real issue that you're trying to solve? > > I want to (b)route them because I want to be able to inspect the packets in higher levels > (through iptables or user space IPS). For nfqueue via iptables, use call-iptables sysctl? Alternatively, implement NFQUEUE support for NF_BRIDGE family, we'll need this eventually for nftables bridge family anyway. AF_PACKET should just 'work' without brouting. > Once I do that (i.e. (b)route by applying an appropriate ebtables rule), the corresponding > packets get dropped unless I apply the patch. Maybe, but if you broute everything you might as well just remove the bridge... You can use -j redirect in ebtables broute table to force local MAC dnat (this also 'fixes' the pkttype to _HOST) if you really want to broute. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists