[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] net: add raw backend - some performance measur

From: Herbert Xu
Subject: Re: [Qemu-devel] [PATCH] net: add raw backend - some performance measurements
Date: Tue, 21 Jul 2009 09:46:53 +0800
User-agent: Mutt/1.5.18 (2008-05-17)

On Mon, Jul 20, 2009 at 09:20:32PM +0300, Michael S. Tsirkin wrote:
> > Is netfilter enabled on the bridge? If so you need to turn it off
> > because it's a huge security hole for virtualisation
> How is it a security hole?

Because bridge netfilter will perform defragmentation and conntrack,
both of which are global in scope.  That means packets from two
unrelated bridges can be treated exactly as the same if their
IP addresses/port numbers are identical, causing information
leakage or worse, allowing an attacker to modify others' traffic.

Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <address@hidden>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

reply via email to

[Prev in Thread] Current Thread [Next in Thread]