From: Philip Craig <philipc@snapgear.com>
To: Chris Poon <Chris.Poon@TELUS.COM>
Cc: "'netfilter-devel@lists.netfilter.org'"
<netfilter-devel@lists.netfilter.org>
Subject: Re: [PATCH] big endian patch against netfilter after PPTP NAT pat ch
Date: Thu, 06 Feb 2003 10:09:32 +1000 [thread overview]
Message-ID: <3E41A7BC.20209@snapgear.com> (raw)
In-Reply-To: 771F217D7A4AF84494632457889470A412D77E@bcmsg011.corp.ads
Chris Poon wrote:
> Padding was the first way I think of how to solve it, but now that I look at it
> again, the problem is actually the size assumption of the mask - almost
> all helpers assumes a 16 bit mask. The PPTP patch breaks that assumption,
> and because of the nature of the patches, I wouldn't have modified all the
> places where the mask is filled out. Maybe the correct way is solve this is to
> make the field size change permanent in ip_conntrack_manip_proto and
> ip_conntrack_tuple, and change all the places that fill out the mask to use
> the right sized mask instead of 0xffff, which happens to break the big-endian
> machines but not the little endian machines. What do you think?
No, the masks the helpers currently use are the correct mask
for what they need. For example, the ftp helper wants the
mask to cover the IP address and the TCP port. The TCP port
is still only 16 bits regardless of what changes are made to
the structure, so the mask must still be 0xffff.
The problem is that they are storing the mask in the u.all
member of the union, rather than the specific member that
they are interested in. So if the total size of union
changes, the mask getting stored will no longer match up
with the appropriate member, depending on endianness and
padding.
The proper fix is what Harald said: zero out the structure, and
store the mask in the specific member, rather than u.all.
Once they are fixed properly, they will also work for any
future changes to the tuple structure.
Paul Mielke posted a patch a few weeks ago that fixed the ftp
helper and the SO_ORIGINAL_DST ioctl.
--
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances
next prev parent reply other threads:[~2003-02-06 0:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-03 17:56 [PATCH] big endian patch against netfilter after PPTP NAT pat ch Chris Poon
2003-02-06 0:09 ` Philip Craig [this message]
2003-02-09 9:29 ` Harald Welte
2003-02-09 16:53 ` Patrick Schaaf
2003-02-10 11:01 ` Harald Welte
[not found] ` <20030210123142.GA8730@rave.iinet.net.au>
2003-02-10 13:29 ` Harald Welte
2003-02-09 9:26 ` Harald Welte
-- strict thread matches above, loose matches on Subject: below --
2003-02-10 17:39 Chris Poon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E41A7BC.20209@snapgear.com \
--to=philipc@snapgear.com \
--cc=Chris.Poon@TELUS.COM \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.