[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: unclean match

On Wed, Aug 21, 2002 at 11:19:55AM +1000, Daniel Pittman wrote:
> Ack. Something to watch out for, then: the unclean match used to
> consider any ECN packet "unclean". That snippet looks like it still may.

it looks like, but the definition is ok:

    TCP_RESERVED_BITS = __constant_htonl(0x0F000000), <- 4 not 6 bits

so at least 2.4.7 is save. The patch is from last year in august. But you
are right, those checks are the reason why the module is not turned on by
default, the meaning of the reserved bits may change :)

Of course this is also true for filter rules and therefore no big deal to
worry about. Perhaps it would be good tu turn off some checks on runtime,
but you can always modify the source, it is the most performant filter since
those checks will be in the IP receiving hotpath.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Reply to: