From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Ahern Subject: Re: [PATCH net-next v2 01/10] net: allow binding socket in a VRF when there's an unbound socket Date: Tue, 2 Oct 2018 13:39:09 -0600 Message-ID: References: <20181001084320.32453-1-mmanning@vyatta.att-mail.com> <20181001084320.32453-2-mmanning@vyatta.att-mail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: Robert Shearman To: Mike Manning , netdev@vger.kernel.org Return-path: Received: from mail-pf1-f194.google.com ([209.85.210.194]:34706 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726194AbeJCCYK (ORCPT ); Tue, 2 Oct 2018 22:24:10 -0400 Received: by mail-pf1-f194.google.com with SMTP id k19-v6so480820pfi.1 for ; Tue, 02 Oct 2018 12:39:12 -0700 (PDT) In-Reply-To: <20181001084320.32453-2-mmanning@vyatta.att-mail.com> Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 10/1/18 2:43 AM, Mike Manning wrote: > There is no easy way currently for applications that want to receive > packets in the default VRF to be isolated from packets arriving in > VRFs, which makes using VRF-unaware applications in a VRF-aware system > a potential security risk. please drop that paragraph from the commit message. It is misleading and wrong. Without VRF I can start ssh bound to wildcard address and port 22 allowing connections across any interface in the box. If I do not want that sestup, I have options: e.g., bind ssh to the management address or install netfilter rules. The same applies with VRF as I mentioned in the v1 review. You not liking the options or wanting another option is a different reason for the change than claiming the current options are a security risk.