Mr. Andras, --- Andras Kis-Szabo <[EMAIL PROTECTED]> wrote: > Hi, > > what is the policy/correct bahavior about this filed in a 'mac' module? > When (and why) can I use this? > > An example: I get a packet (ipv6) with an option header. It contains the > type and the length. When I analyzes the packet, i have to jump to the > next header with this length offset, and when I found an interesting > header, I have to read from it. > What should I do when the length offset points out from the packet? > What should I do when the packet is truncated in the oprtion? (It has a > type and length field, but the packet ends there and I have to read > after these fields?) > The 'return 0' is OK, but can I set the hotdrop or not? > (w/o hotdrop=1, I simply discards the packet, > with it, I deny the whole sending mechanism, the userspace gets back an > 'operation not permitted' msg.)
I seemed to recall the Netfilter Hacking HOWTO explaining the meaning of hotdrop once. After reading the code, here is what I think it means: In the function ip[6]t_do_table(), a large do-while loop is established which does evil things to each table's chain ;). The loop collapses if at any time the hotdrop parameter becomes TRUE, or if a definitive verdict is reached (ACCEPT, DROP or RETURN). After hotdrop becomes TRUE, either NF_DROP is returned or the verdict previously set from somewhere else (I can't figure this stuff out :( It's highly confusing. I think Mr. Harald can tell you with certainty. Harald? > > Regards, > > kisza > > -- Brad ===== Brad Chapman Permanent e-mail: [EMAIL PROTECTED] Current e-mail: [EMAIL PROTECTED] Alternate e-mail: [EMAIL PROTECTED] __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/