Home » Mailing list archives » linux-netdev » 2009 » July » 1

Re: [PATCH] bridge: make bridge-nf-call-*tables default configurable

!MAILaRCHIVE_VOTE_RePLACE
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Herbert Xu <herbert@...>
To: Jan Engelhardt <jengelh@...>
Cc: David Miller <davem@...>, <markmc@...>, <netdev@...>, <kaber@...>, <netfilter-devel@...>
Subject: Re: [PATCH] bridge: make bridge-nf-call-*tables default configurable
Date: Tuesday, June 30, 2009 - 9:15 pm

On Tue, Jun 30, 2009 at 10:16:35PM +0200, Jan Engelhardt wrote:

No, my question is does it ever make sense to use conntrack as
part of bridge netfilter.  That is, do you ever want to test it
in your rules that are run as part of bridge netfilter.

conntrack is inherently a security hole when used as part of
bridging, because it ignores the Ethernet header so two unrelated
connections can be tracked as one.

It used to be an even bigger security hole when we ignored VLAN
and PPPOE headers but at least that's now off by default.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
[PATCH] bridge: make bridge-nf-call-*tables default configur..., Mark McLoughlin, (Tue Jun 30, 12:27 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 4:56 am)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., David Miller, (Tue Jun 30, 11:16 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Mark McLoughlin, (Wed Jul 1, 6:45 am)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., David Miller, (Wed Jul 1, 12:02 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Wed Jul 1, 12:26 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 6:51 am)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., David Miller, (Wed Jul 1, 12:02 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 12:05 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Mark Smith, (Wed Jul 1, 5:18 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., David Miller, (Wed Jul 1, 12:08 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Tue Jun 30, 1:00 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 4:57 am)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Wed Jul 1, 5:07 am)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 5:21 am)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Wed Jul 1, 12:33 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 1:01 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., David Miller, (Tue Jun 30, 3:06 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Jan Engelhardt, (Tue Jun 30, 4:16 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Tue Jun 30, 9:15 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 5:01 am)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Jan Engelhardt, (Tue Jun 30, 11:50 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Ben Greear, (Wed Jul 1, 12:14 am)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Wed Jul 1, 12:10 am)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Mark Smith, (Tue Jun 30, 4:57 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Tue Jun 30, 9:48 pm)
Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Jan Engelhardt, (Tue Jun 30, 5:30 pm)