Mr. Harald, --- Harald Welte <[EMAIL PROTECTED]> wrote: > On Mon, Apr 15, 2002 at 03:41:25AM -0700, Brad Chapman wrote: > > > There is no real change in the structure layout, it's just one additional > > > value that is becoming valid... > > > > Yes. After studying my patches some more, I've rezlied the following: > > > > - unpatched userspace simply doesn't tickle the case statement in the > > kernel that specifies a type-3-code-13 packet > > - unpatched kernelspace just doesn't accept the value contained in > > the enum IPT_ICMP_ADMIN_PROHIBITED > > > > Either way, I don't see any bugs from my POV (yet). > > Imagine the following case: Old kernel, new iptables userspace: > > Somebody inserts a rule with the new admin_prohibited flag. > The old REJECT module doesn't trigger any of the case statements, resulting > in a plain DROP. > > This is not a very big problem, if it is clearly documented. However, I > still don't like this kind of hard-to-debug hidden stuff.
Then let's add a warning to the patch help statement: WARNING: If an iptables distribution containing this patch is interfaced with a kernel not containing this patch, any packet with the verdict of "-j REJECT --reject-with admin-prohibited" will be summarily DROPped. Is this warning clear enough, sir? You'll have to write this yourself, since my development machine is down for repair at the moment. > > > Brad > > -- > Live long and prosper > - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ Brad ===== Brad Chapman Permanent e-mail: [EMAIL PROTECTED] Current e-mail: [EMAIL PROTECTED] Alternate e-mail: [EMAIL PROTECTED] __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com