cvs commit: src/sys/netinet ip_fw2.c
Max Laier
max at love2party.net
Wed May 17 17:31:17 PDT 2006
On Tue, May 16, 2006 10:29 am, David Malone wrote:
>> Interesting - thanks for the pointer. Unless every stack DTRT we can't
>> use the flow_id, though - or we break otherwise legal connections. In
>> the
>> given case we would open a state with SYN+flow_id and got a reply
>> SYNACK+0
>> which wouldn't hash the same as the SYN we sent out. No matching state,
>> no connection.
>
> Indeed - we need to get into the position where almost all stacks
> do the right thing before we can use the flow label as a key of any
> sort in the firewalling process. If people have noticed problems
> with this, I'd be interested in knowing which stacks are incriminated.
The PR has www.sixxs.net:80 as example, which seems to be running "Linux
Apache/2.0.55 (Debian)" (according to netcraft). nmap wasn't really able
to tell in my testing, but it should be possible to approach somebody at
sixxs.net about it - they are very helpful and worried about IPv6.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the cvs-src
mailing list