From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Darren Willis <djw@google.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] DHCPv6 connection tracker helper
Date: Tue, 14 Feb 2012 00:05:43 +0100 [thread overview]
Message-ID: <20120213230543.GA23839@1984> (raw)
In-Reply-To: <CAFntDkzUvtyKZ1in3tKE4jUyhL5C4p3HmMSCGhMVORxxqJEGGA@mail.gmail.com>
On Mon, Feb 13, 2012 at 01:07:18PM +0900, Darren Willis wrote:
> Hi Pablo,
>
> On Fri, Feb 10, 2012 at 20:18, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > why not just adding the rule that allows udp traffic for this?
>
> Distros don't seem to want to (see the bug I linked where some red hat
> people have decided a module is the way to go). Possibly people are
> concerned that such a firewall rule leaves a port open on the local
> link permanently (and possibly with an /sbin/dhclient binary, or
> similar, listening on it).
> DHCPv4 seems to get away with it because, IIRC, it uses raw sockets
> and bypasses netfilter completely. So it's still open, but people
> don't tend to think/know about it (this isn't really a good thing...)
I see.
> > I still don't see the need for this extra module if you can get it
> > done with iptables itself.
>
> I think it's nice to firewall things as much as is feasible, and this
> particular case isn't really complex at all. All this module does (and
> all that needs doing) is lets through the first reply to the right
> port, and after that normal connection tracking takes care of it.
>
> Possibly in the future conntrack should have some kind of extendable
> broadcast/multicast helpers module that can set up simple helpers like
> this for various different protocols (mDNS, etc)
Yes, we need some appropriate broadcast/multicast tracking. I don't
like the idea of using the expectation infrastructure for this, but
well, it's what we have by now.
next prev parent reply other threads:[~2012-02-13 23:06 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-10 2:30 [PATCH] DHCPv6 connection tracker helper Darren Willis
2012-02-10 11:18 ` Pablo Neira Ayuso
2012-02-13 4:07 ` Darren Willis
2012-02-13 23:05 ` Pablo Neira Ayuso [this message]
2012-02-13 9:55 ` Jan Engelhardt
2012-02-14 0:46 ` Pablo Neira Ayuso
2012-02-15 9:00 ` Darren Willis
2012-02-15 17:13 ` Jan Engelhardt
2012-02-16 4:56 ` Darren Willis
2012-02-24 17:54 ` Pablo Neira Ayuso
2012-02-27 4:18 ` Darren Willis
2012-02-28 23:54 ` Pablo Neira Ayuso
2012-03-02 3:59 ` Darren Willis
2012-03-03 13:35 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120213230543.GA23839@1984 \
--to=pablo@netfilter.org \
--cc=djw@google.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.