Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c

[Lincoln Dale]

At 10:39 PM 14/09/2004, Paul P Komkoff Jr wrote:
> Replying to Lincoln Dale:
> > the logic is correct, but it may make sense to call the appropriate
> > netfilter hook again with the "unwrapped" GRE packet, as otherwise
> > packets-inside-GRE represent a possible security hole where one can inject
> > packets externally and bypass firewall rules.
>
> From what I observe, netfilter hooks *are* called for unwrapped packets.
> Either for usual IP packets  passed from GRE tunnel, or for demangled
> wccp packets.

you probably want to ensure that the order of netfilter events are:
  1. [packet comes in]
  2. netfilter INPUT
  3. [GRE decap]
  4. [addressed to us?]
      Yes => netfilter INPUT
      No => netfilter FORWARD

i don't think that both (2) and (4) are done.

also just a minor nit: not all WCCP needs to be GRE-encoded; on 
high-performance switch/router platforms, only a layer-2 rewrite of the dst 
MAC addr is used instead of a layer-3 GRE tunnel.  you may want the comment 
at line 609 to explicitly mention "WCCPv1 and WCCPv2 GRE Forwarding mode".


cheers,

lincoln.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/