|
Hello Julian,
> What about using socket option SO_BINDTODEVICE, again with
> INADDR_ANY? I have never tried it but may be it can help. I assume
> you need to bind to internal device where the -j REDIRECT is placed too.
Well thanks, this adds a little bit more security. But I obviously can't
set SO_BINDTODEVICE to lo. But it's better then the first version :)
BTW, very interesting code is executed when SO_BINDTODEVICE is used:
lock_sock(sk);
dst_release(xchg(&sk->dst_cache, NULL));
release_sock(sk);
Why do we need to clear the routing cache in this case?
> I assume this server port will not be accessible through other devices?
Only if the policy is DENY and if the -j REDIRECT uses the -i <INTERFACE>.
Although I'm not sure if ipchains in net/ipv4/ip_fw.c really make usage of
the sk->bound_dev_if = dev->ifindex;
It should be in ip_rule_match() & ip_fw_domatch() but I can't extract it.
For me it looks like if the packet didn't get dropped before because of the
wrong interface, the firewall would not drop it later in case of a REDIRECT
chain.
I think I would need to add code to net/ipv4/ip_fw.c:
#ifdef CONFIG_IP_TRANSPARENT_PROXY
if (ret == FW_REDIRECT && redirport) {
if ((*redirport = htons(f->ipfw.fw_redirpt)) == 0) {
*redirport = htons(dst_port);
}
}
#endif
But I think this whole stuff is a bit fishy anyway. I rather use iptables
which has no problems doing the redirection to local sockets. It's time to
say goodbye to 2.2.x :)
> References:
>
> net/core/sock.c: sock_setsockopt()
> net/ipv4/# grep bound_dev_if *.c|less
> man 4 socket
Thanks for the pointers, saved me some time searching. BTW: Isn't it
socket(2)? Anyways, was cool to hear again from you :)
Best regards,
Roberto Nibali, ratz
--
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`
|
