From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: Plans for future iptables versions / jumpset feature Date: Thu, 22 May 2008 22:51:59 +0200 Message-ID: <4835DCEF.8060002@trash.net> References: <1211482843.28066.40.camel@enterprise.ims-firmen.de> <4835C6F0.5080604@trash.net> <20080522201419.GA28832@internet24.de> <4835D511.7030503@trash.net> <20080522204716.GA29008@internet24.de> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: netfilter-devel@vger.kernel.org To: Thomas Jacob Return-path: Received: from stinky.trash.net ([213.144.137.162]:46806 "EHLO stinky.trash.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757199AbYEVUxm (ORCPT ); Thu, 22 May 2008 16:53:42 -0400 In-Reply-To: <20080522204716.GA29008@internet24.de> Sender: netfilter-devel-owner@vger.kernel.org List-ID: Thomas Jacob wrote: > On Thu, May 22, 2008 at 10:18:25PM +0200, Patrick McHardy wrote: > >> Not implemented yet, but I'm probably going to add this as an option >> (since it may affect the choice of data structure). For jumps its >> tricky though because loop detection has to be performed. >> > > I don't see why this always has to be performed. There so many ways > to break your system when you're root, so being required to define a loop > free rule sets after specifying some kind of "yes I really want to"- > option should be that much of a burden. As far as I understand > the code, the loop checking at the moment is done in userspace, so > nobody stops you from simply removing that part from the iptables > code. > No, its done in the kernel. I also don't buy this argument. Sure, you can wreck your system if you really want to, but it should be prevented to do so accidentally. Additionally, if you consider setups with limited root powers, this becomes a serious bug.