Mr. Andras,
--- Andras Kis-Szabo [EMAIL PROTECTED] wrote:
Hi,
what is the policy/correct bahavior about this filed in a 'mac' module?
When (and why) can I use this?
An example: I get a packet (ipv6) with an option header. It contains the
type and the length. When I analyzes the packet, i have to jump to the
next header with this length offset, and when I found an interesting
header, I have to read from it.
What should I do when the length offset points out from the packet?
What should I do when the packet is truncated in the oprtion? (It has a
type and length field, but the packet ends there and I have to read
after these fields?)
The 'return 0' is OK, but can I set the hotdrop or not?
(w/o hotdrop=1, I simply discards the packet,
with it, I deny the whole sending mechanism, the userspace gets back an
'operation not permitted' msg.)
I seemed to recall the Netfilter Hacking HOWTO explaining the meaning
of hotdrop once.
After reading the code, here is what I think it means:
In the function ip[6]t_do_table(), a large do-while loop is established
which does evil things to each table's chain ;). The loop collapses if at any time
the hotdrop parameter becomes TRUE, or if a definitive verdict is reached (ACCEPT,
DROP or RETURN). After hotdrop becomes TRUE, either NF_DROP is returned or the
verdict previously set from somewhere else (I can't figure this stuff out :(
It's highly confusing. I think Mr. Harald can tell you with certainty.
Harald?
Regards,
kisza
--
Brad
=
Brad Chapman
Permanent e-mail: [EMAIL PROTECTED]
Current e-mail: [EMAIL PROTECTED]
Alternate e-mail: [EMAIL PROTECTED]
__
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/
