| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170315220605.GA1766@salvia>
Date: Wed, 15 Mar 2017 23:06:05 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Linus Lüssing <linus.luessing@...3.blue>
Cc: Florian Westphal <fw@...len.de>, netdev@...r.kernel.org,
"David S . Miller" <davem@...emloft.net>,
Stephen Hemminger <stephen@...workplumber.org>,
Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
bridge@...ts.linux-foundation.org, netfilter-devel@...r.kernel.org,
coreteam@...filter.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to
bridge device
On Wed, Mar 15, 2017 at 10:16:19PM +0100, Linus Lüssing wrote:
> On Wed, Mar 15, 2017 at 07:15:39PM +0100, Pablo Neira Ayuso wrote:
> > Could you update ebtables dnat to check if the ethernet address
> > matches the one of the input bridge interface, so we mangle the
> > ->pkt_type accordingly from there, instead of doing this from the
> > core?
>
> Actually, that was the approach I thought about and went for first
> (and it would probably work for me). Just checking against the
> bridge device's net_device::dev_addr.
>
> I scratched it though, as I was afraid that the issue might still
> exist for people using some other upper device on top of the bridge
> device. For instance, macvlan? And iterating over the
> net_device::dev_addrs list seemed too costly for fast path to me.
I was more thinking of following the simple approach that we follow in
ebt_redirect_tg() by taking the input interface.
Anyway, I'm ok with this.
Powered by blists - more mailing lists