On Wed, 26 Aug 2009, Jan Engelhardt wrote: > On Wednesday 2009-08-26 14:55, Patrick McHardy wrote: > > >Pascal Hambourg wrote: > >> Hello, > >> > >> May I ask what are the reasons for a helper to drop packets ? > > > >Mainly parsing errors, memory allocation errors and bugs. > > I am not so quite sure whether parsing errors (like, a port > 65535 for > FTP) should cause them to be dropped; after all, it might be, for > example, a vendor-specific form of a protocol that just does not fit the > nf_conntrack_ftp parsing exactly. That is to say, packets should be let > through, though without setting up expectations. I usually say that conntrack is not a policy-decision machine and therefore should not drop packets. However, for the protocol helpers I strongly believe if the helper can't figure out the protocol elements due to any kind of parser error, then the packet should be dropped. Otherwise we may open up possible DoS attack vectors to sloppy server/client implementations. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
