| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190830.142202.1082989152863915040.davem@davemloft.net> Date: Fri, 30 Aug 2019 14:22:02 -0700 (PDT) From: David Miller <davem@...emloft.net> To: subashab@...eaurora.org Cc: netdev@...r.kernel.org, stranche@...eaurora.org Subject: Re: [PATCH net-next] net: Fail explicit bind to local reserved ports From: Subash Abhinov Kasiviswanathan <subashab@...eaurora.org> Date: Wed, 28 Aug 2019 21:26:54 -0600 > Reserved ports may have some special use cases which are not suitable > for use by general userspace applications. Currently, ports specified > in ip_local_reserved_ports will not be returned only in case of > automatic port assignment. > > In some cases, it maybe required to prevent the host from assigning > the ports even in case of explicit binds. Consider the case of a > transparent proxy where packets are being redirected. In case a socket > matches this connection, packets from this application would be > incorrectly sent to one of the endpoints. > > Add a boolean sysctl flag 'reserved_port_bind'. Default value is 1 > which preserves the existing behavior. Setting the value to 0 will > prevent userspace applications from binding to these ports even when > they are explicitly requested. > > Cc: Sean Tranchetti <stranche@...eaurora.org> > Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@...eaurora.org> I don't know how happy I am about this. Whatever sets up the transparent proxy business can block any attempt to communicate over these ports. Also, protocols like SCTP need the new handling too.
Powered by blists - more mailing lists