-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, Apr 22, 2024 at 07:26:30PM -0000, qubist wrote: > Hi, > > With the current firewall, a spoofed packet can travel all the way to > the ip/ip6 hook, where it is dropped. > > Considering the general security principle to stop attacks as far as > possible, why is it not dropped early in the ingress hook instead, thus > also saving additional CPU cycles?
The "antispoof" chain is hooked via the "raw" priority, which happens before all kind of connection tracking, routing etc, basically as early as firewall can see whole IP packets (not for example only their fragments). Theoretically it might be moved a bit earlier, but I don't think it saves much processing, but on the other hand you may run into some issues since not all packet fields are available at this stage yet. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmYmy4QACgkQ24/THMrX 1yx2KQf/coLIf6whMj5JfoCF4X3E+x0liALkjPNNC7GART8HkZzCA+9w+We6bpg6 09VOWEEmMPa7PNjEFKg+frMAWT2gCFye0civCucSvmVtSmzRpZL3eWPmWZPlj8pt ITPE79fyVXBEIsvuKQaZloGFeyINQQSW64Szf+k+sWy+uTrcyV6Kx0tWpDi5KTVK TSc28ujclSWRcDCCo836lMLmd4NgBZ63C0MAdLQfzP97wwzqbFrj7FBT+r41B/ES QZE0W2zanxmA/DDoP7NOZ4BjHFSk62ueQ8xgeAyQRdNFFDwVNv2crRtjlmgolZ5z 9RgNwR9cD4/EDxhM7aP0D+fkurnaUg== =98ms -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ZibLhA8hJuYL9ZLJ%40mail-itl.
