From: Aaron Lewis <the.warl0ck.1989@gmail.com>
To: Eric Leblond <eric@regit.org>
Cc: Aaron Lewis <the.warl0ck.1989@gmail.com>,
netfilter mailing list <netfilter@vger.kernel.org>
Subject: [SOLVED] Re: Is it safe to use libnetfilter_queue in these cases?
Date: Tue, 12 Feb 2013 11:03:58 +0800 [thread overview]
Message-ID: <20130212030357.GA16608@devnull> (raw)
In-Reply-To: <1360564394.5195.14.camel@ice-age.regit.org>
Bonjour Eric!
On 07:33 Mon 11 Feb , Eric Leblond wrote:
> Hello,
>
> Le lundi 11 février 2013 à 12:43 +0800, Aaron Lewis a écrit :
> > Hi,
> >
> > When I process a packet with libnetfilter_queue, would it be safe to:
> >
> > 1) Consider a packet is always valid, for example,
> >
> > In the callback, you extract the payload to a "char *data", now you
> > want the protocol id, so you check data[9],
> >
> > Is it safe if I don't check the package length first? (Would Iptables
> > drop it manually?)
>
> It is always good for security reason to check the length.
>
> The following document contain useful information about
> libnetfilter_queue:
> https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
Thanks!
I thought iptables would discard invalid packets, I'll do the
packet length check
>
> BR,
> --
> Eric Leblond
>
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
prev parent reply other threads:[~2013-02-12 3:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-11 4:43 Is it safe to use libnetfilter_queue in these cases? Aaron Lewis
2013-02-11 6:33 ` Eric Leblond
2013-02-12 3:03 ` Aaron Lewis [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130212030357.GA16608@devnull \
--to=the.warl0ck.1989@gmail.com \
--cc=eric@regit.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.