-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Apr 23, 2024 at 08:40:04AM -0000, qubist wrote: > On Mon, 22 Apr 2024 22:41:40 +0200 Marek Marczykowski-Górecki wrote: > > > The "antispoof" chain is hooked via the "raw" priority, which happens > > before all kind of connection tracking, routing etc, basically as > > early as firewall can see whole IP packets (not for example only their > > fragments). > > I can see how it is done but why would one need to (potentially) > defragment the spoofed packets first just to drop them later? How does > that match the mentioned principle? > > > Theoretically it might be moved a bit earlier, > > What do you mean theoretically? It can be done practically. I have done > it and it works.
Care to open a pull request then? > What I am lacking is the mechanism of dynamically > adding interface . address paired elements to the set, which comes with > Qubes This is done in the vif hotplug script: https://github.com/QubesOS/qubes-core-agent-linux/blob/main/network/vif-route-qubes#L222-L223 > , so my approach is not as flexible as the original, e.g. I can > drop hosts "pretending to be me" and bogons but that's pretty much all. > > > but I don't think it saves much processing, > > Have you made any actual tests/comparisons? In a high speed attack > (many spoofed packets) it may turn out significant. Have you measured it? I'd say it's up to ones who propose a change to justify it. (but, if the change has no downsides, I'm okay with accepting it without detailed benchmark too) > > but on the other hand you may run into some issues since not all > > packet fields are available at this stage yet. > > What issues? Which fields are necessary to drop spoofed packets? For antispoofing probably none. But other things can be added to the "prerouting" chain. Or do you mean moving just "antispoof" chain out of "prerouting" and have it hooked directly? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmYnh6YACgkQ24/THMrX 1yyVEwf9HaVqh1fIgTeuYoTE6WK76O8CKSJaXIkm13b8br22OnvwhdzMlD74b/Y6 0nJloGncWtzn2mkGQsSH1azQTa8aroZqzqCa5GnnfiAPyXvDl4q/nM3bzw+V+SRE wISQolnH/0nPhsvUENGj2nJGVG9fR6izFxIfj/gO+6dro1GRANkHb2m2F/GIsRKu ORw5MIcprWb7t1aCrxPkCDArFt3NAsg53uxTZLsO1Tr/nH6T5GxRiPsE8U1T7pcj HWctIVJXh3JYUi4mrVVjIz9GhLSFI8Q9LykBJ+EG7vcabn5D+GN8/n5ycC1Cokx2 eJLrnfZHGQzgZ4BuN26tjQ9U0I7UDA== =2DVw -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ZieHpnww4gZ3MFYh%40mail-itl.
