[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-ipchains-dev
Subject: Re: [Ipchains-dev] loop check
From: Paul Rusty Russell <Paul.Russell () rustcorp ! com ! au>
Date: 1999-05-18 1:44:08
[Download RAW message or body]
In message <19990517174226.A29729@sreaumur.u-bordeaux.fr> you write:
> > I could have added a counter which counted rule examinations;
> > if we have N rules, and we've examined N+1, we're in a loop, right?
>
> no...
>
> (it seems that my mail didnt reach the arcivhe !?!
> i send to ipchains-dev@rustcorp.com ?)
>
> what i say in my mail is that you may have situation where
> N+1 jump is not a loop situation if you think of
> side effects rule that can be jump-to many time
> or rules used like subroutines and a set of un optimised rules
True, but that's implicitly not allowed. You can only have N+1 jumps
without a loop if a rule is modifying packets; I'm trying to separate
packet mangling and packet filtering, so you won't get any sympathy
from me 8-).
For example, if you're modifying the TOS field, and then filtering on
it, you could create a situation which looks like a loop but isn't.
But it's not a very useful thing to do, and even with that it's hard
to come up with a realistic N+1 jumps scenario.
I believe that people should not bolt packet-mangling modules onto
packet filtering; they should use separate infrastructure entirely,
like the NAT code does. Otherwise we end up with the same mess we
started with, with ipchains.
> (i think) what you need to count is the number of "rule in the
> stack" that is the number of jump whitout backtrack i.e the "virtual
> stack size" for that, you just have to decrement the i counter when
> you /* Pop from stack? */ -> this just add one decrementation for
> each jump... dont cost very much more isn't it ?
That would work, too. Tell you what: when someone complains about a
bogus loop-detection message, I'll apply your patch 8-).
Thanks!
Rusty.
--
Tridge, Raster, DaveM, Cort, maddog... Where will you be 9-11 July 1999?
http://www.linux.org.au/projects/calu
----------------------------------------------
To unsubscribe to this list, write an email to
ipchains-dev-request@rustcorp.com with a body
of 'unsubscribe'.
www.rustcorp.com - web site
ftp.rustcorp.com - ftp site
----------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic