mouss wrote:
Patrick McHardy wrote:
[Adding Stephen back to CC list]
Jozsef Kadlecsik wrote:
I'd be more happy with a module parameter and/or proc switch by which
this new feature could be enabled. So backward compatibility could be
kept and the users could list the rules only if the system is
explicitly configured to allow it.
I don't think compatibility is a problem here, lifting this
restriction can't possibly break anything in userspace.
The question is more whether this causes privacy or other issues,
if yes, we shouldn't do it, otherwise there's no harm in doing
in unconditionally. I personally don't see any problems with
this change.
on a server where are allowed to run commands, but we don't want them to
know more than they should, I am not sure one wants them to see the
rules. call it security by obscurity if you like, but some people may
want this. I guess this is what Jozef meant by compatibility (is it
"least surprise"?).
Well, yes, the main question is whether this causes privacy issues.
"Security by obscurity" is a pretty poor argument, does anyone have
a well founded reason for not allowing users to see the rules and
counters?
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html