Heya, I noticed that the iptables/xtables userspace tools implement a locking scheme based on abstract namespace AF_UNIX sockets, in xtables_lock() in iptables/xshared.c. This is vulnerable to local DoS, since unprivileged clients can create that socket too, thus making all iptables tools hang and hinder them from making changes to the firewall. Abstract namespace AF_UNIX sockets are really not a suitable locking primitive! The code should probably be changed to use a file lock (BSD flock() preferably) on a lock file in /run somewhere, with correct access modes, so that unpriviliged users cannot play games with this. Also, the sleep() loop around the AF_UNIX bind is pretty ugly anyway... Lennart -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
