From: Eric Dumazet <eric.dumazet@gmail.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Adayadil Thomas <adayadil.thomas@gmail.com>,
netdev@vger.kernel.org, Patrick McHardy <kaber@trash.net>
Subject: Re: Connection tracking and vlan
Date: Fri, 30 Oct 2009 17:19:30 +0100 [thread overview]
Message-ID: <4AEB1212.6010905@gmail.com> (raw)
In-Reply-To: <20091030154639.GA8197@gondor.apana.org.au>
Herbert Xu a écrit :
> On Fri, Oct 30, 2009 at 04:31:50PM +0100, Eric Dumazet wrote:
>> Same thing if you have two interfaces, eth0 & eth1 : IP conntrack tuples dont
>> include interface name/index
>
> Indeed, but imagine what happens when eth0 is the LAN and eth1 is
> the wild wild Internet. Do you really want their packets to mix?
>
No, Abayadi needs firewall rules (or RPF), before entering conntrack.
Allowing spoofed packets to come from wild Internet would be...
interesting in many aspects.
And since some setups use several links to LAN, several links to
Internet, its user policy decisions.
next prev parent reply other threads:[~2009-10-30 16:20 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-29 15:43 Connection tracking and vlan Adayadil Thomas
2009-10-30 15:20 ` Herbert Xu
2009-10-30 15:31 ` Eric Dumazet
2009-10-30 15:46 ` Herbert Xu
2009-10-30 16:19 ` Eric Dumazet [this message]
2009-10-30 16:27 ` Patrick McHardy
2009-10-30 16:55 ` Herbert Xu
2009-10-30 16:26 ` Patrick McHardy
2009-10-30 19:20 ` Adayadil Thomas
2009-10-30 19:51 ` Caitlin Bestler
2009-10-30 20:40 ` Adayadil Thomas
2009-10-30 23:15 ` Eric W. Biederman
2009-10-30 23:25 ` Ben Greear
2009-11-02 16:14 ` Adayadil Thomas
2009-11-02 16:30 ` Adayadil Thomas
2009-11-02 16:33 ` Patrick McHardy
2009-11-02 16:41 ` Eric Dumazet
2009-11-02 16:48 ` Patrick McHardy
2009-11-02 17:02 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AEB1212.6010905@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=adayadil.thomas@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).