On Thu November 13 2008, Gilad Benjamini wrote: > Back to my original question then: what is the rule of thumb ? > In other words, for a non-programmer reading proper documentation, how > would the documentation describe INVALID ? In the "Packet Filtering HOWTO" of netfilter.org, they say: A packet which could not be identified for some reason: this includes running out of memoory and ICMP errors which don't correspond to any known connection. By looking to the code, I would say, that a packet is invalid, if the connection tracker doesn't manages to create a proper connection-state for that packet (memory-errors while treating the packet, ...), or the tests defined by the specific protocol-handlers fail. But I'm also asking me this question, because I have to implement shim6- support in netfilter in the case of my Master Thesis. So does somebody can give me a reference which will explain me, what a firewall should check, and what not...? Should it check, if the packet respects the whole protocol (in case of shim6: nonces, cga/hba, ...)? Thanks for your help, and sorry, if i'm running out of the topic of that thread. -- Christoph Paasch www.rollerbulls.be -- -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
