Am Donnerstag, den 08.09.2011, 16:52 +0100 schrieb Stuart Henderson: > On 2011/09/08 17:32, Steffen Wendzel wrote: > > Am Donnerstag, den 08.09.2011, 16:20 +0100 schrieb Stuart Henderson: > > > On 2011/09/08 13:00, Steffen Wendzel wrote: > > > > Final patch: > > > > > > > > Index: pf_norm.c > > > > =================================================================== > > > > RCS file: /cvs/src/sys/net/pf_norm.c,v > > > > retrieving revision 1.140 > > > > diff -u -p -r1.140 pf_norm.c > > > > --- pf_norm.c 18 Jul 2011 21:03:10 -0000 1.140 > > > > +++ pf_norm.c 8 Sep 2011 10:02:37 -0000 > > > > @@ -1454,4 +1454,7 @@ pf_scrub(struct mbuf *m, u_int16_t flags > > > > if (flags & PFSTATE_RANDOMID && af == AF_INET && > > > > !(h->ip_off & ~htons(IP_DF))) > > > > h->ip_id = htons(ip_randomid()); > > > > + > > > > + /* clear IP reserved flag */ > > > > + h->off &= ~htons(IP_RF); > > > > } > > > > > > IMO, this should have a flag and config variable associated with it. > > > > > > > I don't think so since similar features are not linked to config > > variables. Most of these tiny features are not even mentioned in the > > manpage. > > By definition you don't know what this is or may be used for, > this might break something. > > Features like set-tos, no-df etc have config variables. > The tos bits could be used as a sidechannel too; we certainly > don't want to unilaterally clear them. >
I didn't talked about side channels, I talked about covert storage channels. In contrast to the *reserved* flag, the other mentioned flags are useful. You will not break anything by clearing the reserved flag. Other normalizers (both, from industry as well as research implementations) do that too since approx. 10 years. However, this patch is just a proposal -- you do not have to apply that. -Steffen -- With best regards/ Mit freundlichen GrC<C en Steffen Wendzel Dipl.Inf.(FH) My website: http://www.wendzel.de My blog: http://steffen-wendzel.blogspot.com Our books: http://www.linux-openbook.de Das neue Linux-Handbuch gratis lesen: http://openbook.galileocomputing.de/linux/
