On Mon, Apr 15, 2002 at 03:41:25AM -0700, Brad Chapman wrote: > > There is no real change in the structure layout, it's just one additional > > value that is becoming valid... > > Yes. After studying my patches some more, I've rezlied the following: > > - unpatched userspace simply doesn't tickle the case statement in the > kernel that specifies a type-3-code-13 packet > - unpatched kernelspace just doesn't accept the value contained in > the enum IPT_ICMP_ADMIN_PROHIBITED > > Either way, I don't see any bugs from my POV (yet).
Imagine the following case: Old kernel, new iptables userspace: Somebody inserts a rule with the new admin_prohibited flag. The old REJECT module doesn't trigger any of the case statements, resulting in a plain DROP. This is not a very big problem, if it is clearly documented. However, I still don't like this kind of hard-to-debug hidden stuff. > Brad -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
