Netfilter auditing

Sandy Harris
Tue, 28 Sep 1999 11:43:19 +0000

>From he netfilter (ipchains replacement in 2.3 and 2.4 kernels)

describing an optional extra testing module:

| unclean
| This module must be explicitly specified with `-m unclean or
| `--match unclean'. It does various random sanity checks on packets.
| This module has not been audited, and should not be used as a
| security device (it probably makes things worse, since it may well
| have bugs itself). It provides no options.

Anyone on the security audit list care to audit and/or improve this?
It looks, at least at first glance, like a task that could be cleanly
separated out from the main netfilter development.