* Is it safe to use libnetfilter_queue in these cases?
@ 2013-02-11 4:43 Aaron Lewis
2013-02-11 6:33 ` Eric Leblond
0 siblings, 1 reply; 3+ messages in thread
From: Aaron Lewis @ 2013-02-11 4:43 UTC (permalink / raw)
To: netfilter mailing list
Hi,
When I process a packet with libnetfilter_queue, would it be safe to:
1) Consider a packet is always valid, for example,
In the callback, you extract the payload to a "char *data", now you
want the protocol id, so you check data[9],
Is it safe if I don't check the package length first? (Would Iptables
drop it manually?)
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Is it safe to use libnetfilter_queue in these cases?
2013-02-11 4:43 Is it safe to use libnetfilter_queue in these cases? Aaron Lewis
@ 2013-02-11 6:33 ` Eric Leblond
2013-02-12 3:03 ` [SOLVED] " Aaron Lewis
0 siblings, 1 reply; 3+ messages in thread
From: Eric Leblond @ 2013-02-11 6:33 UTC (permalink / raw)
To: Aaron Lewis; +Cc: netfilter mailing list
[-- Attachment #1: Type: text/plain, Size: 680 bytes --]
Hello,
Le lundi 11 février 2013 à 12:43 +0800, Aaron Lewis a écrit :
> Hi,
>
> When I process a packet with libnetfilter_queue, would it be safe to:
>
> 1) Consider a packet is always valid, for example,
>
> In the callback, you extract the payload to a "char *data", now you
> want the protocol id, so you check data[9],
>
> Is it safe if I don't check the package length first? (Would Iptables
> drop it manually?)
It is always good for security reason to check the length.
The following document contain useful information about
libnetfilter_queue:
https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
BR,
--
Eric Leblond
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 190 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* [SOLVED] Re: Is it safe to use libnetfilter_queue in these cases?
2013-02-11 6:33 ` Eric Leblond
@ 2013-02-12 3:03 ` Aaron Lewis
0 siblings, 0 replies; 3+ messages in thread
From: Aaron Lewis @ 2013-02-12 3:03 UTC (permalink / raw)
To: Eric Leblond; +Cc: Aaron Lewis, netfilter mailing list
Bonjour Eric!
On 07:33 Mon 11 Feb , Eric Leblond wrote:
> Hello,
>
> Le lundi 11 février 2013 à 12:43 +0800, Aaron Lewis a écrit :
> > Hi,
> >
> > When I process a packet with libnetfilter_queue, would it be safe to:
> >
> > 1) Consider a packet is always valid, for example,
> >
> > In the callback, you extract the payload to a "char *data", now you
> > want the protocol id, so you check data[9],
> >
> > Is it safe if I don't check the package length first? (Would Iptables
> > drop it manually?)
>
> It is always good for security reason to check the length.
>
> The following document contain useful information about
> libnetfilter_queue:
> https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
Thanks!
I thought iptables would discard invalid packets, I'll do the
packet length check
>
> BR,
> --
> Eric Leblond
>
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-02-12 3:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-11 4:43 Is it safe to use libnetfilter_queue in these cases? Aaron Lewis
2013-02-11 6:33 ` Eric Leblond
2013-02-12 3:03 ` [SOLVED] " Aaron Lewis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).