lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Sep 2015 23:19:59 +0200 From: Florian Westphal <fw@...len.de> To: Daniel Mack <daniel@...que.org> Cc: pablo@...filter.org, daniel@...earbox.net, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org, fw@...len.de, balazs.scheidler@...abit.com Subject: Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type Daniel Mack <daniel@...que.org> wrote: > Add a new chain type NF_INET_LOCAL_SOCKET_IN which is ran after the > input demux is complete and the final destination socket (if any) > has been determined. > > This helps filtering packets based on information stored in the > destination socket, such as cgroup controller supplied net class IDs. This still seems like the 'x y' problem ("want to do X, think Y is correct solution; ask about Y, but thats a strange thing to do"). There is nothing that this offers over INPUT *except* that sk is available. But there is zero benefit as far as I am concerned -- why would you want to do any meaningful filtering based on the sk at that point...? Drop? Makes no sense, else application would not be running in the first place. Allowing response packets? Can already do that with conntrack. So the only 'benefit' is that netcls id is available; but a) why is that even needed and b) is such a huge sledgehammer just for net cgroup accounting worth it? Another question is what other strange things come up once we would open this door. > listening on a specific task, the resulting error code that is sent > back to the remote peer can't be controlled with rules in > NF_INET_LOCAL_SOCKET_IN chains. Right, and that makes this even weirder. For deterministic ingress filtering you can only rely on what is contained in the packet. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists