At 10:39 PM 14/09/2004, Paul P Komkoff Jr wrote:
Replying to Lincoln Dale:
> the logic is correct, but it may make sense to call the appropriate
> netfilter hook again with the "unwrapped" GRE packet, as otherwise
> packets-inside-GRE represent a possible security hole where one can inject
> packets externally and bypass firewall rules.
From what I observe, netfilter hooks *are* called for unwrapped packets.
Either for usual IP packets passed from GRE tunnel, or for demangled
wccp packets.
you probably want to ensure that the order of netfilter events are:
1. [packet comes in]
2. netfilter INPUT
3. [GRE decap]
4. [addressed to us?]
Yes => netfilter INPUT
No => netfilter FORWARD
i don't think that both (2) and (4) are done.
also just a minor nit: not all WCCP needs to be GRE-encoded; on
high-performance switch/router platforms, only a layer-2 rewrite of the dst
MAC addr is used instead of a layer-3 GRE tunnel. you may want the comment
at line 609 to explicitly mention "WCCPv1 and WCCPv2 GRE Forwarding mode".
cheers,
lincoln.
|