Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c

From: Paul P Komkoff Jr
Date: Tue Sep 14 2004 - 07:48:49 EST

Next message: Sylvain Munaut: "[PATCH 6/9] Small updates for Freescale MPC52xx"
Previous message: Nick Piggin: "Re: [no patch] broken use of mm_release / deactivate_mm"
In reply to: Lincoln Dale: "Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c"
Next in thread: Lincoln Dale: "Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Replying to Lincoln Dale:
> the logic is correct, but it may make sense to call the appropriate
> netfilter hook again with the "unwrapped" GRE packet, as otherwise
> packets-inside-GRE represent a possible security hole where one can inject
> packets externally and bypass firewall rules.

>From what I observe, netfilter hooks *are* called for unwrapped packets.
Either for usual IP packets passed from GRE tunnel, or for demangled
wccp packets.

--
Paul P 'Stingray' Komkoff Jr // http://stingr.net/key <- my pgp key
This message represents the official view of the voices in my head
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Sylvain Munaut: "[PATCH 6/9] Small updates for Freescale MPC52xx"
Previous message: Nick Piggin: "Re: [no patch] broken use of mm_release / deactivate_mm"
In reply to: Lincoln Dale: "Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c"
Next in thread: Lincoln Dale: "Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]