lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190708141730.ozycgmtrub7ok2qs@breakpoint.cc>
Date:   Mon, 8 Jul 2019 16:17:30 +0200
From:   Florian Westphal <fw@...len.de>
To:     wenxu@...oud.cn
Cc:     pablo@...filter.org, fw@...len.de, netfilter-devel@...r.kernel.org,
        netdev@...r.kernel.org
Subject: Re: [PATCH nf-next 1/3] netfilter: nf_nat_proto: add
 nf_nat_bridge_ops support

wenxu@...oud.cn <wenxu@...oud.cn> wrote:
> From: wenxu <wenxu@...oud.cn>
> 
> Add nf_nat_bridge_ops to do nat in the bridge family

Whats the use case for this?

The reason I'm asking is that a bridge doesn't know about IP,
Bridge netfilter (the call-iptables thing) has a lot of glue code
to detect dnat rewrites and updates target mac address, including
support for redirect (suddently packet has to be pushed up the stack)
or changes in the oif to non-bridge ports (it even checks forward sysctl
state ..) and so on.

Thats something that I don't want to support in nftables.

For NAT on bridge, it should be possible already to push such packets
up the stack by

bridge input meta iif eth0 ip saddr 192.168.0.0/16 \
       meta pkttype set unicast ether daddr set 00:11:22:33:44:55

then normal ip processing handles this and nat should "just work".
If above doesn't work for you I'd like to understand why.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ