ipv4options still broken (posted prev w/ no reply)...
kaber at trash.net
Thu Jun 1 05:25:41 CEST 2006
Cody Tubbs wrote:
> Bottom line is, it would be nice to -j LOG these options passing through
> or attempting to be passed through a bridged firewall. It details
> malicious activity, thus deterring that fact into a presumption that "I
> most likely have more serious problems" was blatantly absurd.
As I already said, please just send me your patch to disable or even
better fix this behaviour and I'm going to apply it. If you really want
to do something useful, please just fix the ipv4options match to be
acceptable for kernel inclusion. So far, it does stupid things like
using seperate flags for option negation and it depends on IP option
metadata provided by the IP layer, which doesn't work for bridging.
The last point BTW really is a good example why random crap from POM
shouldn't be trusted.
More information about the netfilter-devel