Re: [PATCH 1/2] netfilter: xtables: inclusion of xt_SYSRQ

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 25 Jul 2010, at 17:49, Jan Engelhardt wrote:

> 
> On Wednesday 2010-04-28 17:03, Jan Engelhardt wrote:
>> On Wednesday 2010-04-28 16:54, John Haxby wrote:
>>> 
>>> use-case I see -- the one I see is where the sys admins used to have a "crash
>>> trolley" which was a console and PS/2 keyboard which they could plug into a
>>> machine to get some information, but as many rack machines no longer have
>>> anything PS/2 and USB hot plug is unlikely to work on a sick machine
>> 
> 
> I still think we should merge this. A hold-up like this would have never 
> happened with staging drivers!
> 

Me too.   I've been caught up with other things, but Patrick's suggestion of a separate module only half worked out.

Using encapsulation sockets, to get the sysrq handled in BH context works well except that there are no encapsulation sockets for IPv6.  That, for me at least was a bit of a show stopper.

In exploring this, though, I did correct one weakness in the protocol.  An opportunistic hacker could take a sysrq packet and replay it to other hosts in the LAN in the hope that they have the same password (this is a realistic weakness rather than a theoretical one).   To counter this I simply added the target IP address to the hash.

Would you like me to submit that to xt_SYSRQ anyway?   (In a couple of weeks I'm afraid, I'm out for a while.)

jch--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux