From: Andras Kis-Szabo <kisza@securityaudit.hu>
To: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Cc: Netfilter Devel <netfilter-devel@lists.netfilter.org>,
Netdev <netdev@oss.sgi.com>,
usagi-core@linux-ipv6.org
Subject: Re: [Patch]: IPv6 Connection Tracking
Date: 25 Sep 2003 20:48:01 +0200 [thread overview]
Message-ID: <1064515680.995.41.camel@localhost> (raw)
In-Reply-To: <200309250521.OAA29293@toshiba.co.jp>
Dear Yasuyuki,
I have some questions against the code.
The first question is about the extension headers.
I have used an own 'external header skipper' routine which was very
close the the kernel's one. So I would like to update the netfilter code
to use the kernel's function. For this, we have to export the
ipv6_skip_exthdr() function from net/ipv6/exthdrs.c . I have checked
your code, too. It looks very close to the kernel's code.
As I have noticed, the differences:
- handling of the fragments
your code checks that the member of the extension are in the skb or
not since the common part checks only the basic extension header size.
After it your code linearizes the skb to cover the extension header.
So, the kernel does not check the size and does not linearize. After
these fixes the 2 codes will be similar.
Would not be better to export the kernel's function and use the
ipv6_skip_exthdr() in the netfilter codes?
My second commet is near this area. I have planned that an offset value
which points after the last extension header and a variable which
contain the last nexthdr value would be very helpful for the future -
but I was too lazy to do this work. With the connection tracking this
function (ipv6_skip_exthdr) will be called several time on the same
packet (in the main kernel, at every LOG, at every match, at every ct,
...) With USAGI we could - probably - find the space for this 2
variable. Do you have any recommendation?
Your FTP code uses EPSV and EPRT from rfc2428. What's about the FOOBAR
RFC (1639)? OK, it's a joke :)
Could we open an IPv4 data connection next to the IPv6 controll
connection?
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-------------------------/ Zorp, NetFilter and IPv6
kisza@SecurityAudit.hu /------------------------------------------->
next prev parent reply other threads:[~2003-09-25 18:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-25 5:21 [Patch]: IPv6 Connection Tracking Yasuyuki Kozakai
2003-09-25 9:28 ` Harald Welte
2003-09-25 10:50 ` [netfilter-core] " Jozsef Kadlecsik
2003-09-25 10:51 ` David S. Miller
2003-09-25 13:10 ` Yasuyuki Kozakai
2003-10-03 11:19 ` Yasuyuki Kozakai
2003-10-07 12:30 ` Harald Welte
2003-09-25 18:48 ` Andras Kis-Szabo [this message]
2003-09-25 18:57 ` Pekka Savola
2003-09-25 19:07 ` Andras Kis-Szabo
2003-09-25 19:14 ` Pekka Savola
2003-09-29 8:42 ` Harald Welte
2003-09-26 3:54 ` Yasuyuki Kozakai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1064515680.995.41.camel@localhost \
--to=kisza@securityaudit.hu \
--cc=netdev@oss.sgi.com \
--cc=netfilter-devel@lists.netfilter.org \
--cc=usagi-core@linux-ipv6.org \
--cc=yasuyuki.kozakai@toshiba.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).