From: Shan Wei <shanwei88@gmail.com>
To: john.haxby@oracle.com
Cc: Patrick McHardy <kaber@trash.net>,
Jan Engelhardt <jengelh@medozas.de>,
netfilter-devel@vger.kernel.org,
Linux Netdev List <netdev@vger.kernel.org>,
prarit@redhat.com, David Miller <davem@davemloft.net>
Subject: Re: [PATCH 1/2] netfilter: xtables: inclusion of xt_SYSRQ
Date: Thu, 05 Jan 2012 21:19:08 +0800 [thread overview]
Message-ID: <4F05A34C.10405@gmail.com> (raw)
In-Reply-To: <4BCEF6B4.8090105@trash.net>
Patrick McHardy wrote, at 2010/4/21 20:59:
> I really think this is pushing what netfilter is meant for a bit
> far. Its basically abusing the firewall ruleset to offer a network
> service.
>
> I can see that its useful to have this in the kernel instead of
> userspace, but why isn't this implemented as a stand-alone module?
> That seems like a better design to me and also makes it more useful
> by not depending on netfilter.
It's very useful to remotely sysrq server machines in large data-center.
Another solution by Prarit Bhargava is denied by David Miller,
see discussion http://patchwork.ozlabs.org/patch/101284/.
xt_SYSRQ solution is more convenience for us to use in inner system.
I hope this solution can be merged to main tree. :-)
But before that, this code need to be fixed (may be need more hashing enhancement).
>
>> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
>> ---
>> +module_param_string(password, sysrq_password, sizeof(sysrq_password),
>> + S_IRUSR | S_IWUSR);
>> +module_param_string(hash, sysrq_hash, sizeof(sysrq_hash), S_IRUSR);
Read only.
hash algorithm can be changed.
>> +module_param_named(seqno, sysrq_seqno, long, S_IRUSR | S_IWUSR);
sysrq_seqno is set using current time in sysrq_crypto_init.
Whatever we set, sysrq_seqno is not equal to what we set.
>> + if (len == 0)
>> + return NF_DROP;
malformed packet should be delivered to udp protocol handing.
>> + if (i != 3) {
>> + if (sysrq_debug)
>> + pr_info("badly formatted request\n");
>> + return NF_DROP;
Is there 1% possibility for user to send x,x,x,x, type data in udp payload?
>> + do_gettimeofday(&now);
>> + sysrq_seqno = now.tv_sec;
>> + ret = xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
register target.
>> +static int __init sysrq_tg_init(void)
>> +{
>> + if (sysrq_crypto_init() < 0)
>> + pr_info("starting without crypto\n");
>> + return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
register again. This will cause target list dead loop.
--
Best Regards
Shan Wei
next prev parent reply other threads:[~2012-01-05 13:19 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-21 10:26 nf-next: sysrq and condition 20100421 Jan Engelhardt
2010-04-21 10:26 ` [PATCH 1/2] netfilter: xtables: inclusion of xt_SYSRQ Jan Engelhardt
2010-04-21 12:59 ` Patrick McHardy
2010-04-21 13:07 ` Jan Engelhardt
2010-04-21 13:17 ` Patrick McHardy
2010-04-21 13:35 ` Jan Engelhardt
2010-04-28 14:43 ` John Haxby
2010-04-28 14:54 ` John Haxby
2010-04-28 15:03 ` Jan Engelhardt
2010-04-28 15:50 ` John Haxby
2010-07-25 16:49 ` Jan Engelhardt
2010-07-25 18:13 ` John Haxby
2012-01-05 13:19 ` Shan Wei [this message]
2010-04-21 10:26 ` [PATCH 2/2] netfilter: xtables: inclusion of xt_condition Jan Engelhardt
2010-04-21 13:07 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F05A34C.10405@gmail.com \
--to=shanwei88@gmail.com \
--cc=davem@davemloft.net \
--cc=jengelh@medozas.de \
--cc=john.haxby@oracle.com \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=prarit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.