Subject: | |
From: | |
Reply To: | |
Date: | Thu, 29 Dec 2011 10:14:36 +0000 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 28/12/11 17:35, Stephan Wiesand wrote:
>> When using iptables to "REJECT" bridged network traffic under Scientific Linux 6.1, the kernel stack is corrupted, causing a kernel panic.
>
> Right, this doesn't work. I'm not sure it will work with any Linux kernel.
It seems to me that there is no particular reason why this shouldn't
work though - when generating the ICMP response the kernel shouldn't
have to deal with the bridge at all - just inject it into the IP stack
and let it traverse the routing table as any other packet would.
FWIW, this *does* seem to work under the 2.6.18 kernel (I've been doing
it for several years without any problems).
At the very least, if should "not work" in a safe way rather than
bringing down the whole machine (also, there may be scope for a security
exploit since the stack is getting trashed).
> DROPping packets, instead of REJECTing them, is probably safe. If it must be REJECT, the only solution is probably to have an additional VM acting as the firewall/router for the others.
I wonder if I can DNAT the packet to a local port that has nothing
listening on it... that would generate an ICMP port unreachable. Messy
as hell though.
> If you're 100% sure that it *does* affect RHEL, that's the right place.
Well, I can't test it as I have no RHEL machines, but I see no reason
why it wouldn't affect RHEL too.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:[log in to unmask]
Email: [log in to unmask]
Phone: sip:[log in to unmask]
Sales / enquiries contacts:
Email: [log in to unmask]
Phone: +44-844-9791439 / sip:[log in to unmask]
Support contacts:
Email: [log in to unmask]
Phone: +44-844-4844916 / sip:[log in to unmask]
|
|
|