Mr. Andras,
--- Andras Kis-Szabo <[EMAIL PROTECTED]> wrote:
> Hi,
>
> what is the policy/correct bahavior about this filed in a 'mac' module?
> When (and why) can I use this?
>
> An example: I get a packet (ipv6) with an option header. It contains the
> type and the length. When I analyzes the packet, i have to jump to the
> next header with this length offset, and when I found an interesting
> header, I have to read from it.
> What should I do when the length offset points out from the packet?
> What should I do when the packet is truncated in the oprtion? (It has a
> type and length field, but the packet ends there and I have to read
> after these fields?)
> The 'return 0' is OK, but can I set the hotdrop or not?
> (w/o hotdrop=1, I simply discards the packet,
> with it, I deny the whole sending mechanism, the userspace gets back an
> 'operation not permitted' msg.)
I seemed to recall the Netfilter Hacking HOWTO explaining the meaning
of hotdrop once.
After reading the code, here is what I think it means:
In the function ip[6]t_do_table(), a large do-while loop is established
which does evil things to each table's chain ;). The loop collapses if at any time
the hotdrop parameter becomes TRUE, or if a definitive verdict is reached (ACCEPT,
DROP or RETURN). After hotdrop becomes TRUE, either NF_DROP is returned or the
verdict previously set from somewhere else (I can't figure this stuff out :(
It's highly confusing. I think Mr. Harald can tell you with certainty.
Harald?
>
> Regards,
>
> kisza
>
> --
Brad
=====
Brad Chapman
Permanent e-mail: [EMAIL PROTECTED]
Current e-mail: [EMAIL PROTECTED]
Alternate e-mail: [EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/
