Bonjour Eric! On 07:33 Mon 11 Feb , Eric Leblond wrote: > Hello, > > Le lundi 11 février 2013 à 12:43 +0800, Aaron Lewis a écrit : > > Hi, > > > > When I process a packet with libnetfilter_queue, would it be safe to: > > > > 1) Consider a packet is always valid, for example, > > > > In the callback, you extract the payload to a "char *data", now you > > want the protocol id, so you check data[9], > > > > Is it safe if I don't check the package length first? (Would Iptables > > drop it manually?) > > It is always good for security reason to check the length. > > The following document contain useful information about > libnetfilter_queue: > https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/ Thanks! I thought iptables would discard invalid packets, I'll do the packet length check > > BR, > -- > Eric Leblond > -- Best Regards, Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ ) Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
