|Subject:||Re: iptables breakage WAS(Re: dummy as IMQ replacement|
|From:||Patrick McHardy <kaber@xxxxxxxxx>|
|Date:||Fri, 25 Mar 2005 22:10:21 +0100|
|Cc:||Andy Furniss <andy.furniss@xxxxxxxxxxxxx>, Harald Welte <laforge@xxxxxxxxxxxx>, Remus <rmocius@xxxxxxxxxxxxxx>, netdev <netdev@xxxxxxxxxxx>, Nguyen Dinh Nam <nguyendinhnam@xxxxxxxxx>, Andre Tomt <andre@xxxxxxxx>, syrius.ml@xxxxxxxxxx, Damion de Soto <damion@xxxxxxxxxxxx>|
|References:||<1107123123.8021.80.camel@xxxxxxxxxxxxxxxx> <423B7BCB.10400@xxxxxxxxxxxxx> <1111410890.1092.195.camel@xxxxxxxxxxxxxxxx> <423F41AD.3010902@xxxxxxxxxxxxx> <1111444869.1072.51.camel@xxxxxxxxxxxxxxxx> <423F71C2.8040802@xxxxxxxxxxxxx> <1111462263.1109.6.camel@xxxxxxxxxxxxxxxx> <42408998.5000202@xxxxxxxxxxxxx> <1111550254.1089.21.camel@xxxxxxxxxxxxxxxx> <4241C478.5030309@xxxxxxxxxxxxx> <1111607112.1072.48.camel@xxxxxxxxxxxxxxxx> <4241D764.2030306@xxxxxxxxxxxxx> <1111612042.1072.53.camel@xxxxxxxxxxxxxxxx> <4241F1D2.9050202@xxxxxxxxxxxxx> <4241F7F0.2010403@xxxxxxxxxxxxx> <1111625608.1037.16.camel@xxxxxxxxxxxxxxxx> <424212F7.10106@xxxxxxxxxxxxx> <1111663947.1037.24.camel@xxxxxxxxxxxxxxxx> <1111665450.1037.27.camel@xxxxxxxxxxxxxxxx> <4242DFB5.9040802@xxxxxxxxxxxxx> <1111749220.1092.457.camel@xxxxxxxxxxxxxxxx> <42446DB2.9070809@xxxxxxxxxxxxx> <1111781443.1092.631.camel@xxxxxxxxxxxxxxxx> <4244720C.1040907@xxxxxxxxx> <1111783537.1088.659.camel@xxxxxxxxxxxxxxxx>|
|User-agent:||Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.6) Gecko/20050324 Debian/1.7.6-1|
At the moment it is expected the user will only direct IP packets at ipt. Note, however - desire is not to just stick to iptablesbut rather also accept arp packets and use targets arptables has etc. In such cases it will be important that checks are made.Even in this case though -there will be target which probably wont care if i gave them a decnet packet or IP - example mark. Is this correct? I can understand when headers are to be mucked with.
That is correct.
in regards to tracking: We will have actions that will do all those validations - but the choice will be upto the users policy. Will tracking have issues if i passed it a packet that didnt have the correct checksum?
No, it might (TCP) simply ignore them. NAT usually does incremental checksumming, except for ICMP errors. As for validation - I think we have two things, necessary validations, these can't be optional, and useless validations, since they are not necessary :) TCP checksum for example would be useless, since everything in iptables that cares about it needs to verify it itself anyway.
Both assume the length checks in ip_rcv() have been performed, it actually creates security problems in a few places if they haven't - length calculations can underflow and bad things will happen.I havent really stared at the contrack code - If i ask it to track for me though, would it have issues? Recall that the packets at the two tc spots (ingress/egress) already have their skb pointers in the right spots.
It will try to track. The problematic spots are length calculations, it is assumed that skb->len == iph->ihl*4. Regards Patrick
|<Prev in Thread]||Current Thread||[Next in Thread>|
|Previous by Date:||Re: iptables breakage WAS(Re: dummy as IMQ replacement, Patrick McHardy|
|Next by Date:||Re: iptables breakage WAS(Re: dummy as IMQ replacement, Andy Furniss|
|Previous by Thread:||Re: iptables breakage WAS(Re: dummy as IMQ replacement, jamal|
|Next by Thread:||Re: iptables breakage WAS(Re: dummy as IMQ replacement, jamal|
|Indexes:||[Date] [Thread] [Top] [All Lists]|