Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > Without conntrack, you don't have NAT. Right. > Without conntrack, you don't have a direction. So how do you controll who > may initiate the connection for the protocols which are covered by the > generic tracker? We don't have any match for that. Fair enough, I'll add autoprobing for the generic tracker instead. > The generic tracker can know which protocols have an own tracker and when > it's not available can refuse to track that flow (like the proposed patch > but selectively, just in this very case). OK. I think this is acceptable compromise. > Exploitable modules can be blacklisted temporarily, while the fix is not > available. With a generic tracker which refuses to track protocols with > own trackers, the current security issue is not opened up. Right, thanks Jozsef. > NEW and ESTABLISHED states, which means directions and thus policies. > Those are all lost without the generic tracker. Yes, that and loss of NAT are sound arguments. Cheers, Florian -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
