| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3167EFAB95044A4EB6B134B9A39AA98A055B60A2@xmb-rcd-x05.cisco.com> Date: Tue, 14 Jul 2015 11:52:13 +0000 From: "Yigal Reiss (yreiss)" <yreiss@...co.com> To: "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: RE: [PATCH] brouted packet identified as PACKET_OTHERHOST blocked by higher protocol Florian Westphal [mailto:fw@...len.de] wrote: > Maybe, but if you broute everything you might as well just remove the > bridge... I want to be selective. My setup is a home router. So I can have ebtables rules for which traffic to (b)route and which to bridge, based on security/performance criteria. > You can use -j redirect in ebtables broute table to force local MAC dnat > (this also 'fixes' the pkttype to _HOST) if you really want to broute. I may be missing something obvious, but what is the normal case where using an ebtables 'broute' "-j DROP" rule does work? It seemed to me that without the fix all (b)routed packets would get lost in IP layer (unless also dnat or something is done in addition which changes the pkt_type value). What is the original intention of this table/chain if not pulling packets between "other hosts" out of the bridge and passing them through the IP and higher layers? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists