| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Feb 2018 12:07:06 +0100
From: Florian Westphal <fw@...len.de>
To: Gregory Vander Schueren <gregory.vanderschueren@...sares.net>
Cc: netfilter-devel@...r.kernel.org, gregory.detal@...sares.net,
Matthieu Baerts <matthieu.baerts@...sares.net>,
netdev@...r.kernel.org
Subject: Re: [PATCH] inet: don't call skb_orphan if tproxy happens in layer 2
Gregory Vander Schueren <gregory.vanderschueren@...sares.net> wrote:
[ cc netdev ]
> If sysctl bridge-nf-call-iptables is enabled, iptables chains are already
> traversed from the bridging code. In such case, tproxy already happened when
> reaching ip_rcv. Thus no need to call skb_orphan as this would actually undo
> tproxy.
I don't like this because it adds yet another test in fastpath, and for
a use case that has apparently never worked before.
> We noticed issues when using tproxy with net.bridge.bridge-nf-call-iptables
> enabled. In such case, ip_rcv() basically undo tproxy's job. The following
> patch proposes a fix.
I question wheter its a good idea to mix tproxy with bridges.
Tproxy relies on policy routing, but a bridge doesn't route :-)
I guess you use bridge snat mac mangling to force local delivery of
packets that are otherwise bridged?
If yes, can you use ebtables brouting instead?
This would bypass the bridge (so no iptables invocation from bridge
prerouting anymore).
We will try to get rid of nf-call-iptables eventually.
There might be (more complicated) ways to avoid this problem without
adding code in normal network path, but lets check other options first.
Powered by blists - more mailing lists