From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jan Engelhardt <jengelh@inai.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ
Date: Thu, 12 Jul 2012 17:49:57 +0200 [thread overview]
Message-ID: <20120712154957.GE18793@1984> (raw)
In-Reply-To: <1341964350-13809-5-git-send-email-jengelh@inai.de>
On Wed, Jul 11, 2012 at 01:52:30AM +0200, Jan Engelhardt wrote:
> The SYSRQ target will allow to remotely invoke sysrq on the local
> machine. Authentication is by means of a pre-shared key that can
> either be transmitted plaintext or digest-secured.
>
> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
> ---
> net/netfilter/Kconfig | 12 ++
> net/netfilter/Makefile | 1 +
> net/netfilter/xt_SYSRQ.c | 361 ++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 374 insertions(+), 0 deletions(-)
> create mode 100644 net/netfilter/xt_SYSRQ.c
>
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index c19b214..fbe8e40 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -644,6 +644,18 @@ config NETFILTER_XT_TARGET_RATEEST
>
> To compile it as a module, choose M here. If unsure, say N.
>
> +config NETFILTER_XT_TARGET_SYSRQ
> + tristate '"SYSRQ" - remote sysrq invocation'
> + depends on NETFILTER_ADVANCED
> + ---help---
> + This option enables the "SYSRQ" target which can be used to trigger
> + sysrq from a remote machine using a magic UDP packet with a pre-shared
> + password. This is useful when the receiving host has locked up in an
> + Oops yet still can process incoming packets.
> +
> + Besides plaintext packets, digest-secured SYSRQ requests will be
> + supported when CONFIG_CRYPTO is enabled.
I guess this is useful for user, eg. you can reboot your crashed
system from your office in case that cheap comodity hardware without
remote management tools (eg. HP's ILO or Dell's iDRAC).
Still, I think that including this in Netfilter is a bit of abuse
since this is out of the scope of providing some firewalling feature.
People willing to use this should be able to use without requiring
Netfilter at all.
If you have interest in pushing this into mainline, I think this
deserves to be generalized and included somewhere into the networking
tree and provide some genetlink interface to configure it.
next prev parent reply other threads:[~2012-07-12 15:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-10 23:52 xt_recent cleanups, xt_SYSRQ Jan Engelhardt
2012-07-10 23:52 ` [PATCH 1/4] netfilter: xt_recent: remove ip_list_hash_size parameter Jan Engelhardt
2012-07-12 15:42 ` Pablo Neira Ayuso
2012-07-10 23:52 ` [PATCH 2/4] netfilter: cleanup use of the term "IPs" Jan Engelhardt
2012-07-12 15:43 ` Pablo Neira Ayuso
2012-07-10 23:52 ` [PATCH 3/4] netfilter: use permission mnemonics in module_param Jan Engelhardt
2012-07-10 23:52 ` [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ Jan Engelhardt
2012-07-12 15:49 ` Pablo Neira Ayuso [this message]
2012-07-12 16:25 ` Jan Engelhardt
2012-07-12 20:26 ` Florian Westphal
2012-07-12 20:29 ` Jan Engelhardt
2012-07-12 20:35 ` Florian Westphal
2012-07-12 21:25 ` Jan Engelhardt
2012-07-13 9:16 ` Pablo Neira Ayuso
2012-07-14 1:43 ` Maciej Żenczykowski
2012-07-14 13:11 ` Pablo Neira Ayuso
2012-07-14 14:49 ` Aft nix
2012-07-14 15:24 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120712154957.GE18793@1984 \
--to=pablo@netfilter.org \
--cc=jengelh@inai.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).