On Tue, Jan 15, 2013 at 08:58:59AM -0500, Ian Stakenvicius wrote: > On 15/01/13 04:16 AM, Michael Weber wrote: > > Hi, > > > > "This can have serious security implications" [1] > > > > For whom? > > I think the idea there is that a user expects eth0 and eth1 to stay > the same, writes iptables rules on a per-interface basis to control > what they want, then update the kernel or make some other change > (upgraded udev, maybe? :D) which swaps them around and poof, the rules > they thought were correct don't end up protecting them they way they > assumed it would... > > Not saying this is necessarily valid, just saying how I interpreted > their meaning of "serious security implications".
Yes, that is true. And it's not udev that could rename the interface (hint, it wouldn't), it's the kernel, it _never_ guarantees the same interface "name" every time you boot. You might just be getting lucky, but really, PCI busses can be enumerated in different ways, USB devices can come and go and initialize sometimes slower one boot from another, and lots of other things can happen. So anyone who relies on network names right now to be deterministic, and you have more than one network device in your system, should seriously reconsider how they are naming their devices, as it will not work if you only rely on the kernel. You might have gotten "lucky" for the past 5 years, but you never know what could happen if you reboot today. Seriously, I've seen it happen all the time. Hope this helps explain things a bit better. greg k-h
