[PATCH/RFC/RFT] add "revision" support to arp_tables and
ip6_tables
Henrik Nordstrom
hno at marasystems.com
Tue Oct 11 15:36:55 CEST 2005
On Mon, 10 Oct 2005, Harald Welte wrote:
> Are you referring to something specific inside arp_tables kernel or
> userspace code? We had a similar change in ip_tables some time ago, and
> just made sure that the userspace program ("iptables") didn't generate
> any strings longer than IPT_FUNCTION_NAMELEN-2. Since we never had any
> matches or targets that used the full length, there is no problem.
And if it becomes a problem it is not hard to change the code to support
IPT_FUNCTION_NAMELEN-1 length targets/matches again by implicitly
null-terminating the string after extracting the version or using strncmp
to compare the names (no null termination required if within n).
So even if there today exists a target/match with a name of this length it
is not unfixable.
The versioning support only reduces the theoretical max target/match
length which can be supported by the structures by one character from
IPT_FUNCTION_NAMELEN to IPT_FUNCTION_NAMELEN-1. To keep implementation
simple the change it actually reduces the max length from
IPT_FUNCTION_NAMELEN-1 to IPT_FUNCTION_NAMELEN-2 by keeping the null
termination of the string but this is not stricly required.
Regards
Henrik
More information about the netfilter-devel
mailing list