Re: [PATCH 2.6]: ip6t_{hbh,dst}: Rejects not-strict mode on rule insersion

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 2.6]: ip6t_{hbh,dst}: Rejects not-strict mode on rule insersion
Date: Wed, 24 Sep 2008 17:29:43 +0200	[thread overview]
Message-ID: <48DA5CE7.9040407@trash.net> (raw)
In-Reply-To: <200809091019.m89AJniP013456@toshiba.co.jp>

Yasuyuki KOZAKAI wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Tue, 09 Sep 2008 08:54:00 +0200
> 
>> Yasuyuki KOZAKAI wrote:
>>> Hi Patrick,
>>>
>>> Please apply the following patch. The option IP6T_OPTS_NSTRICT causes to
>>> ignore rules for options in HBH/DST header.
>>>
>>> I think this issue affects few users. Because fortunately (?) man page and
>>> 'ip6tables -m hbh --help' does not show --hbh-not-strict option, and
>>> 'ip6tables ... --hbh-not-strict' does not work due to incorrect has_arg
>>> value in userland libip6t_hbh.c ;)
>>>
>>> I will implement not-strict mode, so the patch leaves the definition of
>>> IP6T_OPTS_NSTRICT. The strict mode is too strict (the specified options
>>> have to be included in order in HBH/DST header) and would be useless
>>> in most senarios.
>> Since my knowledge of this quite limited - is this fix important
>> enough so it should go in 2.6.27, or is queuing it for 2.6.28 OK
>> too?
> 
> Actually I am torn between them. I think this is security issue, like that
> 'iptables -p tcp -j DROP' does not drop TCP packets.
> But no ip6tables user meet this issue because of has_arg bug.
> 
> I prefer 2.6.27 so that I don't need to fear rare case in several months :)

Applied, thanks, and sorry for the delay.

     prev parent reply	other threads:[~2008-09-24 15:29 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-08  6:13 [PATCH 2.6]: ip6t_{hbh,dst}: Rejects not-strict mode on rule insersion Yasuyuki KOZAKAI
2008-09-09  6:54 ` Patrick McHardy
2008-09-09 10:19   ` Yasuyuki KOZAKAI
     [not found]   ` <200809091019.m89AJniP013456@toshiba.co.jp>
2008-09-24 15:29     ` Patrick McHardy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48DA5CE7.9040407@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=yasuyuki.kozakai@toshiba.co.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.