Hello,
On Wed, 6 Jun 2001, Roberto Nibali wrote:
> Hello Julian,
>
> > What about using socket option SO_BINDTODEVICE, again with
> > INADDR_ANY? I have never tried it but may be it can help. I assume
> > you need to bind to internal device where the -j REDIRECT is placed too.
>
> Well thanks, this adds a little bit more security. But I obviously can't
> set SO_BINDTODEVICE to lo. But it's better then the first version :)
Why to lo :) lo can be incoming interface only for local
talks. SO_BINDTODEVICE should be set in the server socket as I understand
and the clients will connect only when the packets come through this
interface. It seems you don't want to listen even on internal interface :)
This server will listen only to lo?
> BTW, very interesting code is executed when SO_BINDTODEVICE is used:
>
> lock_sock(sk);
> dst_release(xchg(&sk->dst_cache, NULL));
> release_sock(sk);
>
> Why do we need to clear the routing cache in this case?
Yep, rerouting is needed in this case because the socket can
be already bound to output route pointing to another device.
> > I assume this server port will not be accessible through other devices?
>
> Only if the policy is DENY and if the -j REDIRECT uses the -i <INTERFACE>.
> Although I'm not sure if ipchains in net/ipv4/ip_fw.c really make usage of
> the sk->bound_dev_if = dev->ifindex;
> It should be in ip_rule_match() & ip_fw_domatch() but I can't extract it.
> For me it looks like if the packet didn't get dropped before because of the
> wrong interface, the firewall would not drop it later in case of a REDIRECT
> chain.
>
> I think I would need to add code to net/ipv4/ip_fw.c:
>
> #ifdef CONFIG_IP_TRANSPARENT_PROXY
> if (ret == FW_REDIRECT && redirport) {
> if ((*redirport = htons(f->ipfw.fw_redirpt)) == 0) {
> *redirport = htons(dst_port);
> }
> }
> #endif
>
> But I think this whole stuff is a bit fishy anyway. I rather use iptables
> which has no problems doing the redirection to local sockets. It's time to
> say goodbye to 2.2.x :)
May be I don't understand the setup. My thought was that
SO_BINDTODEVICE will make the server to listen to the incoming device
where -j REDIRECT accepts packets destined to the world.
> > man 4 socket
>
> Thanks for the pointers, saved me some time searching. BTW: Isn't it
> socket(2)? Anyways, was cool to hear again from you :)
Hm, SO_BINDTODEVICE is in my man4 pages :)
> Best regards,
> Roberto Nibali, ratz
>
> --
> mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`
Regards
--
Julian Anastasov <ja@xxxxxx>
|