Christoph A. wrote: > Hi, > > I read Jan's "Towards the perfect ruleset" paper [1] > > [1] http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf > > and I would have a question about the mentioned security risk when > creating hole rulesets with the iptables command (chapter 3). > > I understand why it is a bad idea to create n rules by using multiple > times iptables -A... (instead of iptables-restore) because it > "downloads" the entire table n-times and sets the entire table n-times > (performing n*2 operations) while passing n^2 rules between kernel and > userspace. > > The second and more interesting point is that this would also introduce > a timeframe where packets could slip through while these exchanges > between kernel and userspace are happening. Why does setting the policy > to DROP not solve this problem? This is not correct, the replacement is atomic. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
