Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip

To:	Paul P Komkoff Jr <i@xxxxxxxxxx>
Subject:	Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c
From:	Lincoln Dale <ltd@xxxxxxxxx>
Date:	Tue, 14 Sep 2004 23:07:50 +1000
Cc:	"David S. Miller" <davem@xxxxxxxxxxxxx>, Paul P Komkoff Jr <i@xxxxxxxxxx>, netdev@xxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
In-reply-to:	<20040914123951.GL4141@xxxxxxxxxxxxx>
References:	<5.1.0.14.2.20040914184652.03e24de0@xxxxxxxxxxxxx> <20040913051706.GB26337@xxxxxxxxxxxxx> <20040911194108.GS28258@xxxxxxxxxxxxx> <20040912170505.62916147.davem@xxxxxxxxxxxxx> <20040913051706.GB26337@xxxxxxxxxxxxx> <5.1.0.14.2.20040914184652.03e24de0@xxxxxxxxxxxxx>
Sender:	netdev-bounce@xxxxxxxxxxx

To:

Paul P Komkoff Jr <i@xxxxxxxxxx>

Subject:

Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c

From:

Lincoln Dale <ltd@xxxxxxxxx>

Date:

Tue, 14 Sep 2004 23:07:50 +1000

Cc:

"David S. Miller" <davem@xxxxxxxxxxxxx>, Paul P Komkoff Jr <i@xxxxxxxxxx>, netdev@xxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx

In-reply-to:

<20040914123951.GL4141@xxxxxxxxxxxxx>

References:

<5.1.0.14.2.20040914184652.03e24de0@xxxxxxxxxxxxx> <20040913051706.GB26337@xxxxxxxxxxxxx> <20040911194108.GS28258@xxxxxxxxxxxxx> <20040912170505.62916147.davem@xxxxxxxxxxxxx> <20040913051706.GB26337@xxxxxxxxxxxxx> <5.1.0.14.2.20040914184652.03e24de0@xxxxxxxxxxxxx>

Sender:

netdev-bounce@xxxxxxxxxxx

At 10:39 PM 14/09/2004, Paul P Komkoff Jr wrote:

Replying to Lincoln Dale:
> the logic is correct, but it may make sense to call the appropriate
> netfilter hook again with the "unwrapped" GRE packet, as otherwise
> packets-inside-GRE represent a possible security hole where one can inject
> packets externally and bypass firewall rules.

From what I observe, netfilter hooks *are* called for unwrapped packets.
Either for usual IP packets  passed from GRE tunnel, or for demangled
wccp packets.


you probably want to ensure that the order of netfilter events are:
  1. [packet comes in]
  2. netfilter INPUT
  3. [GRE decap]
  4. [addressed to us?]
      Yes => netfilter INPUT
      No => netfilter FORWARD

i don't think that both (2) and (4) are done.

also just a minor nit: not all WCCP needs to be GRE-encoded; onhigh-performance switch/router platforms, only a layer-2 rewrite of the dstMAC addr is used instead of a layer-3 GRE tunnel. you may want the commentat line 609 to explicitly mention "WCCPv1 and WCCPv2 GRE Forwarding mode".



cheers,

lincoln.

<Prev in Thread]	Current Thread	[Next in Thread>
[PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, Paul P Komkoff Jr Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, David S. Miller Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, Paul P Komkoff Jr Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, David S. Miller Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, Lincoln Dale Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, Paul P Komkoff Jr Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, Lincoln Dale <= Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, Paul P Komkoff Jr Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, David S. Miller

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: [INET] Add flags field to ip_tunnel_parm, YOSHIFUJI Hideaki / 吉藤英明
Next by Date:	Re: [INET] Add flags field to ip_tunnel_parm, James Morris
Previous by Thread:	Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, Paul P Komkoff Jr
Next by Thread:	Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, Paul P Komkoff Jr
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: [INET] Add flags field to ip_tunnel_parm, YOSHIFUJI Hideaki / 吉藤英明

Next by Date:

Re: [INET] Add flags field to ip_tunnel_parm, James Morris

Previous by Thread:

Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, Paul P Komkoff Jr

Next by Thread:

Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, Paul P Komkoff Jr

Indexes:

[Date] [Thread] [Top] [All Lists]