Re: Bad press again...
* Michael Stone:
> On Mon, Aug 29, 2005 at 11:44:59PM +0200, Florian Weimer wrote:
>>IMHO, Debian should publish at least a DSA that explains this
>>discrepancy, especially if the package maintainer also thinks that
>>it's necessary.
>
> Thank you for your input. Would anyone else like to register their
> opinion? BTW, did you miss the part where I insinuated that the security
> team is looking for some clarification? There's not much point in
> issuing an advisory before that, is there?
I think this part of the diff is pretty instructive, together with
upstream's explanation:
if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface)
createchain $chain1 no
- run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
- run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT
- run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT
+ run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
+ run_iptables -A $chain -j $chain1
+ run_iptables -A $chain -m recent --update --name $chain -j RETURN
+ run_iptables -A $chain -m recent --set --name $chain
fi
If I read the iptables manual page correctly, the --update and --set
rules jump to the ACCPEPT target, letting through the packet.
Reply to: