'Re: [Ipchains-dev] loop check'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-ipchains-dev
Subject:    Re: [Ipchains-dev] loop check
From:       Paul Rusty Russell <Paul.Russell () rustcorp ! com ! au>
Date:       1999-05-18 1:44:08
[Download RAW message or body]

In message <19990517174226.A29729@sreaumur.u-bordeaux.fr> you write:
> > 	I could have added a counter which counted rule examinations;
> > if we have N rules, and we've examined N+1, we're in a loop, right?
> 
> 	no...
> 
> 	(it seems that my mail didnt reach the arcivhe !?! 
> 	i send to ipchains-dev@rustcorp.com ?)
> 
> 	what i say in my mail is that you may have situation where
> 	N+1 jump is not a loop situation if  you think of 
> 	side effects rule that can be jump-to many time
> 	or rules used like subroutines and a set of un optimised rules

True, but that's implicitly not allowed.  You can only have N+1 jumps
without a loop if a rule is modifying packets; I'm trying to separate
packet mangling and packet filtering, so you won't get any sympathy
from me 8-).

For example, if you're modifying the TOS field, and then filtering on
it, you could create a situation which looks like a loop but isn't.
But it's not a very useful thing to do, and even with that it's hard
to come up with a realistic N+1 jumps scenario.

I believe that people should not bolt packet-mangling modules onto
packet filtering; they should use separate infrastructure entirely,
like the NAT code does.  Otherwise we end up with the same mess we
started with, with ipchains.

> 	(i think) what you need to count is the number of "rule in the
> stack" that is the number of jump whitout backtrack i.e the "virtual
> stack size" for that, you just have to decrement the i counter when
> you /* Pop from stack? */ -> this just add one decrementation for
> each jump... dont cost very much more isn't it ?

That would work, too.  Tell you what: when someone complains about a
bogus loop-detection message, I'll apply your patch 8-).

Thanks!
Rusty.
--
Tridge, Raster, DaveM, Cort, maddog... Where will you be 9-11 July 1999?
                http://www.linux.org.au/projects/calu

----------------------------------------------
To unsubscribe to this list, write an email to
ipchains-dev-request@rustcorp.com with a body
of 'unsubscribe'.

www.rustcorp.com - web site
ftp.rustcorp.com - ftp site
----------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic