> Von: lxc-users [mailto:[email protected]] Im > Auftrag > > On Wed, Mar 11, 2015 at 7:22 PM, Fajar A. Nugraha <[email protected]> wrote: > > On Wed, Mar 11, 2015 at 7:02 PM, Fiedler Roman > <[email protected]> wrote: > >> This should be exactly the configuration I have tested so far. But that > >> did > >> not yet solve my problem ... > >> > >> * If some process in guest registers for the same NFLOG queue, he can > "steal" > >> the messages from the host queue, thus removing traces of his activity > from > >> host logging. SECURITY-ASPECT: apart from log corruption, the guest can > get > >> knowledge about any other connection to/from other containers and the > host and > >> as they include sequence numbers, may be able to inject spoofed data > into any > >> other unencrypted TCP connection or at least interrupt the connection > using > >> another helper machine. > > > > No. What makes you believe that? > > > > Host and containers does not share iptables rules. Their entire > > network stack is separated thru network namespace. There's no such > > thing as "stealing the message".> > To further clarify: > > The default lxc networking setup (veth with bridge) MAY allow a > container to snoop/hijack traffic to/from other containers. This is > similar to how a computers on the same LAN, connected to a dumb > switch, can potentially snoop/hijack traffic to/from other computers. > This is ethernet bridge issue, not iptables issue, nor lxc issue. > > To prevent that issue, there are some options you can do. One option > is to create a separate bridge for each container. The other option > would be to use my alternative setup which I linked to earlier, which > does NOT use bridge.
Yes, I'm completely aware of that property of bridge. But the current issue is different: The guest can snoop on the NFLOG messages generated on host and destined for the host and hence can get knowledge of ANY NFLOGed connection of host or any guest, no matter if on same bridge or another one.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
