lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Aug 2020 11:14:25 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Daniel Borkmann <daniel@...earbox.net>, Lukas Wunner <lukas@...ner.de>, Pablo Neira Ayuso <pablo@...filter.org>, Jozsef Kadlecsik <kadlec@...filter.org>, Florian Westphal <fw@...len.de> Cc: netfilter-devel@...r.kernel.org, coreteam@...filter.org, netdev@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>, Eric Dumazet <edumazet@...gle.com>, Thomas Graf <tgraf@...g.ch>, Laura Garcia <nevola@...il.com>, David Miller <davem@...emloft.net> Subject: Re: [PATCH nf-next v3 0/3] Netfilter egress hook On 8/28/20 12:14 AM, Daniel Borkmann wrote: > Hi Lukas, > > On 8/27/20 10:55 AM, Lukas Wunner wrote: >> Introduce a netfilter egress hook to allow filtering outbound AF_PACKETs >> such as DHCP and to prepare for in-kernel NAT64/NAT46. > > Thinking more about this, how will this allow to sufficiently filter AF_PACKET? > It won't. Any AF_PACKET application can freely set PACKET_QDISC_BYPASS without > additional privileges and then dev_queue_xmit() is being bypassed in the host ns. > This is therefore ineffective and not sufficient. (From container side these can > be caught w/ host veth on ingress, but not in host ns, of course, so hook won't > be invoked.) Presumably dev_direct_xmit() could be augmented to support the hook. dev_direct_xmit() (packet_direct_xmit()) was introduced to bypass qdisc, not to bypass everything.
Powered by blists - more mailing lists