kaber at trash.net
Mon Jul 30 14:23:40 CEST 2007
Jan Engelhardt wrote:
> On Jul 18 2007 15:04, Patrick McHardy wrote:
>>Jan Engelhardt wrote:
>>Seems unnecessary, we don't really care whether the sequence number is
>>secure or not.
> Will tcp->seq = 0 do?
I don't know.
>>>+ /* Truncate to length (no data) */
>>>+ ntcph->doff = sizeof(struct tcphdr)/4;
>>>+ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
>>>+ niph->tot_len = htons(nskb->len);
>>>+ /* Swap source and dest */
>>>+ niph->daddr = xchg(&niph->saddr, niph->daddr);
> BTW, how come ipt_REJECT does not use xchg()?
Because its not necessary, as in this case.
>>>+static bool xt_tarpit_check(const char *tablename, const void *entry,
>>>+ const struct xt_target *target, void *targinfo,
>>>+ unsigned int hook_mask)
>>>+ bool invalid;
>>>+ if (strcmp(tablename, "raw") == 0 && hook_mask == NF_IP_PRE_ROUTING)
>>>+ return true;
>>>+ if (strcmp(tablename, "filter") != 0)
>>>+ return false;
>>>+ invalid = hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD));
>>Use generic validation please. This logic also looks overly complicated.
> I suppose you mean
> .table = "filter"
> with "generic validation". I cannot use that, because it can be used in
> two tables. [ See below ]
The origin version was simply restricted to some hooks. Why
does the table matter?
>>>I don't really like adding a notrack reference in the TARPIT target
>>>though, I would prefer to use the one from the original packet (as in
>>>REJECT) and for NOTRACK you would simply mark the original packet.
>>You're right. Yes, nf_ct_attach is also necessary. I need caffeine.
> So what's the final verdict? If TARPIT shall not imply NOTRACK,
> then of course I will remove the checks for "raw", etc. Please vote.
I think I already did :)
More information about the netfilter-devel