netdev
[Top] [All Lists]

Re: iptables breakage WAS(Re: dummy as IMQ replacement

To: hadi@xxxxxxxxxx
Subject: Re: iptables breakage WAS(Re: dummy as IMQ replacement
From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Fri, 25 Mar 2005 22:10:21 +0100
Cc: Andy Furniss <andy.furniss@xxxxxxxxxxxxx>, Harald Welte <laforge@xxxxxxxxxxxx>, Remus <rmocius@xxxxxxxxxxxxxx>, netdev <netdev@xxxxxxxxxxx>, Nguyen Dinh Nam <nguyendinhnam@xxxxxxxxx>, Andre Tomt <andre@xxxxxxxx>, syrius.ml@xxxxxxxxxx, Damion de Soto <damion@xxxxxxxxxxxx>
In-reply-to: <1111783537.1088.659.camel@xxxxxxxxxxxxxxxx>
References: <1107123123.8021.80.camel@xxxxxxxxxxxxxxxx> <423B7BCB.10400@xxxxxxxxxxxxx> <1111410890.1092.195.camel@xxxxxxxxxxxxxxxx> <423F41AD.3010902@xxxxxxxxxxxxx> <1111444869.1072.51.camel@xxxxxxxxxxxxxxxx> <423F71C2.8040802@xxxxxxxxxxxxx> <1111462263.1109.6.camel@xxxxxxxxxxxxxxxx> <42408998.5000202@xxxxxxxxxxxxx> <1111550254.1089.21.camel@xxxxxxxxxxxxxxxx> <4241C478.5030309@xxxxxxxxxxxxx> <1111607112.1072.48.camel@xxxxxxxxxxxxxxxx> <4241D764.2030306@xxxxxxxxxxxxx> <1111612042.1072.53.camel@xxxxxxxxxxxxxxxx> <4241F1D2.9050202@xxxxxxxxxxxxx> <4241F7F0.2010403@xxxxxxxxxxxxx> <1111625608.1037.16.camel@xxxxxxxxxxxxxxxx> <424212F7.10106@xxxxxxxxxxxxx> <1111663947.1037.24.camel@xxxxxxxxxxxxxxxx> <1111665450.1037.27.camel@xxxxxxxxxxxxxxxx> <4242DFB5.9040802@xxxxxxxxxxxxx> <1111749220.1092.457.camel@xxxxxxxxxxxxxxxx> <42446DB2.9070809@xxxxxxxxxxxxx> <1111781443.1092.631.camel@xxxxxxxxxxxxxxxx> <4244720C.1040907@xxxxxxxxx> <1111783537.1088.659.camel@xxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.6) Gecko/20050324 Debian/1.7.6-1
jamal wrote:
At the moment it is expected the user will only direct IP packets at
ipt. Note, however - desire is not to just stick to iptables
but rather also accept arp packets and use targets arptables has etc. In such cases it will be important that checks are made.
Even in this case though -there will be target which probably wont care
if i gave them a decnet packet or IP - example mark. Is this correct? I
can understand when headers are to be mucked with.

That is correct.

in regards to tracking:
We will have actions that will do all those validations - but the choice
will be upto the users policy. Will tracking have issues if i passed it
a packet that didnt have the correct checksum?

No, it might (TCP) simply ignore them. NAT usually does incremental
checksumming, except for ICMP errors. As for validation - I think we
have two things, necessary validations, these can't be optional,
and useless validations, since they are not necessary :) TCP checksum
for example would be useless, since everything in iptables that cares
about it needs to verify it itself anyway.

Both assume the length checks in ip_rcv() have been
performed, it actually creates security problems in a few places if
they haven't - length calculations can underflow and bad things will
happen.

I havent really stared at the contrack code - If i ask it to track for
me though, would it have issues?
Recall that the packets at the two tc spots (ingress/egress) already
have their skb pointers in the right spots.

It will try to track. The problematic spots are length calculations,
it is assumed that skb->len == iph->ihl*4.

Regards
Patrick

<Prev in Thread] Current Thread [Next in Thread>