On Thu, Jul 12, 2012 at 09:34:45AM +0200, Hans Schillstrom wrote:
> Hi Pablo
> [snip]
> +static void HMARK_check(struct xt_fcheck_call *cb)
> >+{
> >+ if (!(cb->xflags & (1 << O_HMARK_MODULUS)))
> >+ xtables_error(PARAMETER_PROBLEM, "--hmark-mod is mandatory");
> >+ if (!(cb->xflags & (1 << O_HMARK_RND)))
> >+ xtables_error(PARAMETER_PROBLEM, "--hmark-rnd is mandatory");
>
> I don't think rnd should be mandatory, a default value is enough.
> offset however should be mandatory.
As I said, parameters that are not set will likely not be set by
users. If default value for random, the easier it will be for an
attacker to direct all flows to the same target.
I'll be OK to make --hmark-offset mandatory, BTW.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
