| To: | Lincoln Dale <ltd@xxxxxxxxx> |
|---|---|
| Subject: | Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c |
| From: | Paul P Komkoff Jr <i@xxxxxxxxxx> |
| Date: | Tue, 14 Sep 2004 16:39:51 +0400 |
| Cc: | "David S. Miller" <davem@xxxxxxxxxxxxx>, Paul P Komkoff Jr <i@xxxxxxxxxx>, netdev@xxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx |
| In-reply-to: | <5.1.0.14.2.20040914184652.03e24de0@171.71.163.14> |
| Mail-followup-to: | Lincoln Dale <ltd@xxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Paul P Komkoff Jr <i@xxxxxxxxxx>, netdev@xxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx |
| Organization: | Department of Fish & Wildlife |
| References: | <20040913051706.GB26337@stingr.sgu.ru> <20040911194108.GS28258@stingr.sgu.ru> <20040912170505.62916147.davem@davemloft.net> <20040913051706.GB26337@stingr.sgu.ru> <5.1.0.14.2.20040914184652.03e24de0@171.71.163.14> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
| User-agent: | Agent Darien Fawkes |
Replying to Lincoln Dale: > the logic is correct, but it may make sense to call the appropriate > netfilter hook again with the "unwrapped" GRE packet, as otherwise > packets-inside-GRE represent a possible security hole where one can inject > packets externally and bypass firewall rules. From what I observe, netfilter hooks *are* called for unwrapped packets. Either for usual IP packets passed from GRE tunnel, or for demangled wccp packets. -- Paul P 'Stingray' Komkoff Jr // http://stingr.net/key <- my pgp key This message represents the official view of the voices in my head |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [INET] Add flags field to ip_tunnel_parm, Herbert Xu |
|---|---|
| Next by Date: | Re: [RFC][PATCH 2/2] ip multipath, bk head (EXPERIMENTAL), Einar Lueck |
| Previous by Thread: | Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, Lincoln Dale |
| Next by Thread: | Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c, Lincoln Dale |
| Indexes: | [Date] [Thread] [Top] [All Lists] |