Re[2]: new REBOOT target

[Wang Jian <lark@linux.net.cn>]

Hi Max Kellermann,

See my original post for the note on --offset and --passphrase :)

I know they shouuld be match, and actually, the funcionality is in
string match, partially. Because the kernel I use has no string match
builtin, and I didn't want to compile them, I choose to do the matching
in target itself ;)

It is really ugly hack in some sense. I originally planed to write a
small LKM rootkit to do that, but then I chose netfilter to hook in.
LKM rootkit is more management related ;)

Beside my laziness, the --passphrase is an error-proof mechanism per se.
Let's assume some one wants to use -j REBOOT, but he doesn't specified a
good enough match, just '-p icmp', then boom ;) In this sense, the
--passphrase is not match, but part of target.

On Mon, 28 Feb 2005 10:06:35 +0100, Max Kellermann <max@duempel.org> wrote:

> On 2005/02/26 15:30, Wang Jian <lark@linux.net.cn> wrote:
> > # iptables -I INPUT -p icmp -j REBOOT --passphrase pass [--offset offset]
> > [--hard (0|1)]
> 
> Ugly hack for an ugly problem ;) - still, it's an interesting idea for
> people plagued with such a problem.
> 
> You have implemented the "--passphrase" parameter in your REBOOT
> target, but that "--passphrase" is in fact a match, not a target
> parameter. Targets should not perform a test on the packet, it's not
> their task (it should not assume the packet is ICMP either, that drops
> a lot of flexibility). You should implement this part as a match
> module.
> 
> Maybe someone has already written such a module.. look at
> patch-o-matic.
> 
> In contrary, "--hard" is not a match, it controls what REBOOT should
> do in detail, so this is one ok.
> 
> Max



-- 
  lark