So I look in my syslogs, and I find a lot of:
Nov 6 14:36:37 turing-police kernel: ipt_hook: happy cracking.
messages. A quick grep finds it's ipv4/netfilter/iptable_filter.c:
/* root is playing with raw sockets. */
if ((*pskb)->len < sizeof(struct iphdr)
|| (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr)) {
if (net_ratelimit())
printk("ipt_hook: happy cracking.\n");
return NF_ACCEPT;
}
The only problem is that root wasn't doing any playing at the time. The real
culprit was an iptables filter with '-j REJECT'. (Yes, usually a '-j DROP' is
my preference, but I get SYN packets from some places on our net where sending
an RST is more polite than waiting for retransmits).
I admit not being positively clear on how this manages to trigger, as
I'm not sure who's supposed to set the ->len field on the new pskb
allocated by ipt_REJECT.c:send_reset() (AFAICT, ->ihl should be OK
after skb_copy_bits() gets called).
Hardly 'cracking' - but after yesterday's CVS scare, I had to double
check this code was in 2.4.18 too before my pulse came down.. :)
Attachment:
pgp00666.pgp
Description: PGP signature
