Hello Harald, > > well, so whatabout making an interface in /proc to dynamically turn > > on/off checks for that 'reserved' fields? That way admins could allow > > those "new" packets without the need of rebooting with a new kernel and > > an updated unclean match. > > This doesn't deal with the problem. How many firewall admins do even > know about the reserved bits and do follow recent IETF development > with regards to reserved bits in various headers?
well, we could always do it the other way round - disable reserved bits by default and enable them via proc. Okay, it's a little bit fuzzy, but anybody who wants to deploy a firewall should read some documentation. -- Regards, Wiktor Wodecki | http://johoho.eggheads.org [EMAIL PROTECTED] | IRC: Johoho@IrcNET
msg00213/pgp00000.pgp
Description: PGP signature
