Re: Bad press again...

[Florian Weimer <fw@deneb.enyo.de>]

* Michael Stone:

> On Mon, Aug 29, 2005 at 11:44:59PM +0200, Florian Weimer wrote:
>>IMHO, Debian should publish at least a DSA that explains this
>>discrepancy, especially if the package maintainer also thinks that
>>it's necessary.
>
> Thank you for your input. Would anyone else like to register their
> opinion? BTW, did you miss the part where I insinuated that the security
> team is looking for some clarification? There's not much point in
> issuing an advisory before that, is there? 

I think this part of the diff is pretty instructive, together with
upstream's explanation:

 	if [ -n "$MACLIST_TTL" ]; then
 	    chain1=$(macrecent_target $interface)
 	    createchain $chain1 no
-	    run_iptables -A $chain  -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
-	    run_iptables -A $chain1 -m recent --update                        --name $chain -j ACCEPT
-	    run_iptables -A $chain1 -m recent --set                           --name $chain -j ACCEPT
+	    run_iptables -A $chain  -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
+	    run_iptables -A $chain                                                          -j $chain1
+	    run_iptables -A $chain  -m recent --update                        --name $chain -j RETURN
+	    run_iptables -A $chain  -m recent --set                           --name $chain
 	fi

If I read the iptables manual page correctly, the --update and --set
rules jump to the ACCPEPT target, letting through the packet.