netdev
[Top] [All Lists]

Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c

To: Lincoln Dale <ltd@xxxxxxxxx>
Subject: Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c
From: Paul P Komkoff Jr <i@xxxxxxxxxx>
Date: Tue, 14 Sep 2004 16:39:51 +0400
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>, Paul P Komkoff Jr <i@xxxxxxxxxx>, netdev@xxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
In-reply-to: <5.1.0.14.2.20040914184652.03e24de0@171.71.163.14>
Mail-followup-to: Lincoln Dale <ltd@xxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Paul P Komkoff Jr <i@xxxxxxxxxx>, netdev@xxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
Organization: Department of Fish & Wildlife
References: <20040913051706.GB26337@stingr.sgu.ru> <20040911194108.GS28258@stingr.sgu.ru> <20040912170505.62916147.davem@davemloft.net> <20040913051706.GB26337@stingr.sgu.ru> <5.1.0.14.2.20040914184652.03e24de0@171.71.163.14>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Agent Darien Fawkes
Replying to Lincoln Dale:
> the logic is correct, but it may make sense to call the appropriate 
> netfilter hook again with the "unwrapped" GRE packet, as otherwise 
> packets-inside-GRE represent a possible security hole where one can inject 
> packets externally and bypass firewall rules.

From what I observe, netfilter hooks *are* called for unwrapped packets.
Either for usual IP packets  passed from GRE tunnel, or for demangled
wccp packets.

-- 
Paul P 'Stingray' Komkoff Jr // http://stingr.net/key <- my pgp key
 This message represents the official view of the voices in my head

<Prev in Thread] Current Thread [Next in Thread>