Mr. Harald,
--- Harald Welte <[EMAIL PROTECTED]> wrote:
> On Mon, Apr 15, 2002 at 03:41:25AM -0700, Brad Chapman wrote:
> > > There is no real change in the structure layout, it's just one additional
> > > value that is becoming valid...
> >
> > Yes. After studying my patches some more, I've rezlied the following:
> >
> > - unpatched userspace simply doesn't tickle the case statement in the
> > kernel that specifies a type-3-code-13 packet
> > - unpatched kernelspace just doesn't accept the value contained in
> > the enum IPT_ICMP_ADMIN_PROHIBITED
> >
> > Either way, I don't see any bugs from my POV (yet).
>
> Imagine the following case: Old kernel, new iptables userspace:
>
> Somebody inserts a rule with the new admin_prohibited flag.
> The old REJECT module doesn't trigger any of the case statements, resulting
> in a plain DROP.
>
> This is not a very big problem, if it is clearly documented. However, I
> still don't like this kind of hard-to-debug hidden stuff.
Then let's add a warning to the patch help statement:
WARNING: If an iptables distribution containing this patch is interfaced
with a kernel not containing this patch, any packet with the verdict of
"-j REJECT --reject-with admin-prohibited" will be summarily DROPped.
Is this warning clear enough, sir? You'll have to write this yourself,
since my development machine is down for repair at the moment.
>
> > Brad
>
> --
> Live long and prosper
> - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/
Brad
=====
Brad Chapman
Permanent e-mail: [EMAIL PROTECTED]
Current e-mail: [EMAIL PROTECTED]
Alternate e-mail: [EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com
