lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Dec 2006 16:27:36 +0100 (MET) From: Jan Engelhardt <jengelh@...ux01.gwdg.de> To: Patrick McHardy <kaber@...sh.net> cc: Netfilter Developer Mailing List <netfilter-devel@...ts.netfilter.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] xt_request_find_match >>>>Reusing code is a good idea, and I would like to do so from my >>>>match modules. netfilter already provides a xt_request_find_target() but >>>>an xt_request_find_match() does not yet exist. This patch adds it. >>> >>>Why does your match module needs to lookup other matches? >> >> To use them? >> >> I did not want to write >> >> some_xt_target() { >> if(skb->nh.iph->protocol == IPPROTO_TCP) >> do_this(); >> else >> do_that(); >> } > >I don't think > >xt_request_find_match(match->family, "tcp", 0)->match(lots of arguments) > >is better than a simple comparison. Besides that the tcp match itself >expects that the protocol match already checked for IPPROTO_TCP, so >you'd still have to do it. >> /* To quote Alan: >> >> Don't allow a fragment of TCP 8 bytes in. Nobody normal >> causes this. Its a cracker trying to break in by doing a >> flag overwrite to pass the direction checks. >> */ > >This check makes sure the flags are not overwritten _after you >matched on them_. It doesn't matter at all if you're only >interested in the protocol since the user didn't tell you to care. Ok, but let's say I wanted to use a bigger match module (layer7, anyone?) Then it's just not if(protocol == IPPROTO_TCP). What's the preferred solution then? -`J' -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists