Re: [PATCH] bridge: make bridge-nf-call-*tables default configurable | KernelTrap

Re: [PATCH] bridge: make bridge-nf-call-*tables default configurable

view
thread

!MAILaRCHIVE_VOTE_RePLACE

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Herbert Xu <herbert@...>

To: Jan Engelhardt <jengelh@...>

Cc: David Miller <davem@...>, <markmc@...>, <netdev@...>, <kaber@...>, <netfilter-devel@...>

Subject: Re: [PATCH] bridge: make bridge-nf-call-*tables default configurable

Date: Wednesday, July 1, 2009 - 12:10 am

On Wed, Jul 01, 2009 at 05:50:18AM +0200, Jan Engelhardt wrote:
quoted text> 
> On secondary thought, one could also argue that because conntrack 
> ignores the interface, two unrelated connections happening to be routed 
> through the same machine(*) are tracked as one, too.

Good point.  We really should make these risks much more explicit.

However, I still think the risk with bridging is higher, especially
in the presence of virtualisation.  Consider the scenario where you
have to VMs on the one host, each with a dedicated bridge with the
intention that neither should know anything about the other's
traffic.

With conntrack running as part of bridging, the traffic can now
cross over which is a serious security hole.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH] bridge: make bridge-nf-call-*tables default configur..., Mark McLoughlin, (Tue Jun 30, 12:27 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 4:56 am)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., David Miller, (Tue Jun 30, 11:16 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Mark McLoughlin, (Wed Jul 1, 6:45 am)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., David Miller, (Wed Jul 1, 12:02 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Wed Jul 1, 12:26 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 6:51 am)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., David Miller, (Wed Jul 1, 12:02 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 12:05 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Mark Smith, (Wed Jul 1, 5:18 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., David Miller, (Wed Jul 1, 12:08 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Tue Jun 30, 1:00 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 4:57 am)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Wed Jul 1, 5:07 am)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 5:21 am)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Wed Jul 1, 12:33 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 1:01 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., David Miller, (Tue Jun 30, 3:06 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Jan Engelhardt, (Tue Jun 30, 4:16 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Tue Jun 30, 9:15 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Patrick McHardy, (Wed Jul 1, 5:01 am)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Jan Engelhardt, (Tue Jun 30, 11:50 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Ben Greear, (Wed Jul 1, 12:14 am)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Wed Jul 1, 12:10 am)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Mark Smith, (Tue Jun 30, 4:57 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Herbert Xu, (Tue Jun 30, 9:48 pm)

Re: [PATCH] bridge: make bridge-nf-call-*tables default conf..., Jan Engelhardt, (Tue Jun 30, 5:30 pm)

Navigation

Popular discussions


linux-kernel:
david	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Eric Sandeen	Re: [RFC] Heads up on sys_fallocate()
Filippos Papadopoulos	Re: INITIO scsi driver fails to work properly
Greg KH	[GIT PATCH] driver core patches against 2.6.24
git:

linux-netdev:
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
David Miller	[GIT]: Networking
Jarek Poplawski	[PATCH take 2] pkt_sched: Protect gen estimators under est_lock.
Natalie Protasevich	[BUG] New Kernel Bugs
openbsd-misc:

Colocation donated by:

Who's online

There are currently 0 users and 570 guests online.

Syndicate