Paul Rusty Russell
Wed, 22 Sep 1999 03:06:12 +0930
In message <Pine.LNX.firstname.lastname@example.org> you wr
> Hi Rusty,
> Hope you're doing well. Here it is :
> #ifdef USE_POWERS_FOR_EVIL /* yes, some actually read the source ! ;-) */
Hey, we have a winner! Everyone else, pay attention... (Bonus points
for figuring out what it does).
> In packet-filter/extentions/ipt_unclean.c, it seems you forgot one 576
> (maybe a macro would be good ?) :
> limpk("First fragment size %u < 576\n", ntohs(iph->tot_len));
> In ipnatctl.8 :
> .\" Man page written by Rusty, based on iptables page by
> .\" Herve Eychenne <email@example.com>, based on
> .\" ipchains page by Paul ``Rusty'' Russell March 1997
> .\" Based on the original ipfwadm man page by Jos Vos <firstname.lastname@example.org>, who was
> .\" probably the only one who actually grokked nroff.
> Thanks, I had a good laugh. :-))
I'd forgotten about that. 8-)
> In iptables.c :
> /* FIXME: Userspace can determine that there are no loops, and should
> do so, elimintating loop check and simplifying this code. --RR */
> The point is that there should be *no* way to do any loop (thus hang the
> kernel). Would the test be done in the lib or in iptables ?
> In both cases, if in userspace, it would possible to bypass the tests.
> But as long as rules can only be set as root, there would always be a way
> to compromise kernel integrity...
There are precedents for allowing root to screw the machine up. There
are also precedents the other way; it depends on how
optimization-obsessed the kernel author is, really. The loop check
*could* be done statically in the kernel at table insertion time.
That means it has to be done without recursion...
> I guess you've already updated iptables man page (QUEUE, REJECT, state,
> unclean, etc...), so I won't provide an already obsolete patch this
> time. ;-)
Oh. Yeah... thanks, will do.