| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20191217135616.25751-1-martin@strongswan.org> Date: Tue, 17 Dec 2019 14:56:14 +0100 From: Martin Willi <martin@...ongswan.org> To: netfilter-devel@...r.kernel.org Cc: netdev@...r.kernel.org Subject: [PATCH netfilter/iptables] Add new slavedev match extension This patchset introduces a new Netfilter match extension to match input interfaces that are associated to a layer 3 master device. The first patch adds the new match to the kernel, the other provides an extension to userspace iptables to make use of the new match. The motivation for a new match is that in INPUT/FORWARD, a base match for the input interface is done against the layer 3 master device if the real input device is associated to such a device. This makes filtering on input interfaces within VRFs difficult. In output, the packet is passed to Netfilter with the real output interface as well, so output interface matching in slavedev is not required. Nonetheless are the arguments named explicitly for the input interface, as it makes the meaning of these options more intuitive and the match extensible. An alternative approach for better filtering within VRFs could be to pass the packet with the real interface to FORWARD/INPUT hooks, or even pass it twice similar to the output path. This is very likely to break existing rulesets, though, which should be no problem with a new match extension. -- 2.20.1
Powered by blists - more mailing lists