From: Pascal Hambourg <pascal@plouf.fr.eu.org>
To: "Ethy H. Brito" <ethy.brito@inexo.com.br>
Cc: netfilter <netfilter@vger.kernel.org>
Subject: Re: randomly SNATed devices after reboot
Date: Fri, 16 May 2014 22:25:10 +0200 [thread overview]
Message-ID: <53767426.8080003@plouf.fr.eu.org> (raw)
In-Reply-To: <20140516165931.274ae0c2@pulsar>
Ethy H. Brito a écrit :
>
>> If you don't want this to happen, just DROP all FORWARDed traffic until
>> the SNAT rule is active.
>
> <side comment>
> Hmmm! I am looking to Jan Engelhardt's Packet Flow picture (2014-Feb-28) and
> can not find conntrack in the output path for forwarded packets. I think we
> found a glitch in his drawing. Does he read this list?
> </side comment>
The conntrack for forwarded packets is in the PREROUTING path.
> Nope. I think this is not a ultimate solution because packets still may flow
> before FORWARD DROP rule is in place. Your suggestion does not kill the race
> condition.
Well, that's because I put filtering rules in place with default DROP
before enabling the network for obvious safety reasons, and assumed
everyone did the same.
> This is what I see, please correct me if I'm wrong:
> 1) IP stack is in place during boot
> 2) network parameters are configured (ip addrs, routes, etc)
> 3) nf modules are loaded (/etc/modules.d??)
> 4) conntrack modules are loaded (also /etc/modules.d)
> 5) user scripts are loaded (iptables snat or FORWARD rules included)
The order is sysadmin-dependent. You decide. My iptables initscript is
run before the network is configured and activated.
> I need to ensure no packet cross at least before conntrack is loaded
Not necessarily. You're also safe if any forwarded packet is dropped (or
forwarding is disabled) until the SNAT rule is in place. The packets
will be discarded and the conntrack entry will be destroyed immediately.
next prev parent reply other threads:[~2014-05-16 20:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-15 13:42 randomly SNATed devices after reboot Ethy H. Brito
2014-05-16 4:57 ` Vigneswaran R
2014-05-16 15:59 ` Ethy H. Brito
2014-05-16 19:01 ` Pascal Hambourg
2014-05-16 19:59 ` Ethy H. Brito
2014-05-16 20:25 ` Pascal Hambourg [this message]
2014-05-17 13:09 ` Sven-Haegar Koch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53767426.8080003@plouf.fr.eu.org \
--to=pascal@plouf.fr.eu.org \
--cc=ethy.brito@inexo.com.br \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.