Re: Re: Unique rule ID?!

Re: Re: Unique rule ID?!

[Sven Anders]

[-- Attachment #1: Type: text/plain, Size: 2369 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


| From: Henrik Nordstrom <hno@marasystems.com>
| Subject: Re: Unique rule ID?!
| To: Sven Anders <anders@anduras.de>
| Cc: Netfilter Developers <netfilter-devel@lists.netfilter.org>
|
| On Mon, 8 Nov 2004, Sven Anders wrote:
|
|
|>Harald Welte and some others are breaking the compatibility every two or
|>three ip-tables/netfilter/kernel versions. :-)
|
|
| Only for patch-o-matic modules and intentionally so as there is good
| reasons why these are not (yet) in mainline. Every breakage of what is in
| mainline is a bug and gets fixed pretty quickly should it occur.

Ok, thats correct. But I need many of the POM modules and so it does occure
often.

| Using stuff from pom is a gamble on versions, much like any other use of
| experimental stuff is. Yes, it occationally happens, but frankly so quite
| rarely.
|
| Lately this has started to becoming quite a bit of hinderance for the
| iptables development as there is many changes everyone agrees needs to be
| done, but can't be done in a clean manner without breaking mainline stuff.
|
| Regards
| Henrik

You cannot think of all possibilites when designing and API. We have now a
state, which was not changed for over 2 (or more?) years.
As I read, a new iptables version (1.3?) is comming, don't you think, now
is the time to rethink the design and implement (or accept) new features
to the API?
There are so many interesting new match and target modules in the POM,
many are stable and could be taken to the mainline...

My idea is to collect all necessary changes (or wishes) and discuss them.
Which POM modules should be taken to the mainline, should be discussed too...

Any comments?!

Regards
~ Sven

- --
~ Sven Anders <anders@anduras.de>

~ ANDURAS service solutions AG
~ Innstraße 71 - 94036 Passau - Germany
~ Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032
Mitglieder des Vorstands: Sven Anders, Marcus Junker, Michael Schön
Vorsitzender des Aufsichtsrats: Dipl. Kfm. Karlheinz Antesberger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBj9cI5lKZ7Feg4EcRAn9IAJsHrSCTh/BH8kH09YddXF3OTt6bCACghuFp
IlWstOxgdOr+4JPVyeEao5M=
=SchT
-----END PGP SIGNATURE-----

Re: Re: Unique rule ID?!

[Henrik Nordstrom]

On Mon, 8 Nov 2004, Sven Anders wrote:

> | Only for patch-o-matic modules and intentionally so as there is good
> | reasons why these are not (yet) in mainline. Every breakage of what is in
> | mainline is a bug and gets fixed pretty quickly should it occur.
>
> Ok, thats correct. But I need many of the POM modules and so it does occure
> often.

Which you should expect when using work in progress (which is what POM 
represents).

> As I read, a new iptables version (1.3?) is comming, don't you think, now
> is the time to rethink the design and implement (or accept) new features
> to the API?

The API is being redesigned in pkttables.

> There are so many interesting new match and target modules in the POM,
> many are stable and could be taken to the mainline...

Many are being taken to mainline.

> My idea is to collect all necessary changes (or wishes) and discuss them.

This is what this list is intended for.

> Which POM modules should be taken to the mainline, should be discussed too...

You are welcome, so are any other subscribers here.

Please note that the pom inventory was quite recently discussed on the 
netfilter developer workshop, deciding which of the additions should go 
mainline and which not, with some motivations on each. The summary can be 
found in the workshop notes available in the documentation section of the 
web site.

Regards
Henrik

Re: New API / POM modules to merge.... (was: Unique rule ID?!)

[Sven Anders]

[-- Attachment #1: Type: text/plain, Size: 1787 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Henrik Nordstrom wrote:
|
|> As I read, a new iptables version (1.3?) is comming, don't you think, now
|> is the time to rethink the design and implement (or accept) new features
|> to the API?
|
|
| The API is being redesigned in pkttables.

Is there documentation for the new API available?

|> There are so many interesting new match and target modules in the POM,
|> many are stable and could be taken to the mainline...
|
| Please note that the pom inventory was quite recently discussed on the
| netfilter developer workshop, deciding which of the additions should go
| mainline and which not, with some motivations on each. The summary can
| be found in the workshop notes available in the documentation section of
| the web site.

Interesting list. Nice to see many that useful matches will be merged...

Some question:

~ 1. "TTL or HOPLIMIT: no, it's dangerous"

~    Why? Don't use it, if it's dangerous - or does it crash the kernel?

~ 2. "ipp2p: like string matching, stays in POM"

~    Did not found the "string" match comment. Does it stay here forever?


Regards
~ Sven
- --
~ Sven Anders <anders@anduras.de>

~ ANDURAS service solutions AG
~ Innstraße 71 - 94036 Passau - Germany
~ Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032
Mitglieder des Vorstands: Sven Anders, Marcus Junker, Michael Schön
Vorsitzender des Aufsichtsrats: Dipl. Kfm. Karlheinz Antesberger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBkOgL5lKZ7Feg4EcRAss3AJ9JC7F4bicJ8glSU6s0YQUJiiqJbQCffVDe
CQem8J0GGmd4Dkpb1BBessk=
=HDYh
-----END PGP SIGNATURE-----

Re: New API / POM modules to merge.... (was: Unique rule ID?!)

[Henrik Nordstrom]

On Tue, 9 Nov 2004, Sven Anders wrote:

> | The API is being redesigned in pkttables.
>
> Is there documentation for the new API available?

It is "currently" being designed from what I know. Harald?

> Some question:
>
> ~ 1. "TTL or HOPLIMIT: no, it's dangerous"
>
> ~    Why? Don't use it, if it's dangerous - or does it crash the kernel?

It (TTL) in it's current form violates fundamental aspects of IP, easily 
allowing the administrator to "accidently" create configurations which 
will crash the network.

In case of the TTL match it should be sufficient to change

         if (new_ttl != iph->ttl) {

to

         if (new_ttl < iph->ttl) {

and remove the increase option to make it safe, but at the same time you 
loose a lot of the powers of this target so it may not be desireable to 
make this change..

Regards
Henrik

Re: New API / POM modules to merge....

[Sven Anders]

[-- Attachment #1: Type: text/plain, Size: 1579 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Henrik Nordstrom wrote:

|> Some question:
|>
|> ~ 1. "TTL or HOPLIMIT: no, it's dangerous"
|> ~    Why? Don't use it, if it's dangerous - or does it crash the kernel?
|
| It (TTL) in it's current form violates fundamental aspects of IP, easily
| allowing the administrator to "accidently" create configurations which
| will crash the network.
|
| In case of the TTL match it should be sufficient to change
|
|         if (new_ttl != iph->ttl) {
| to
|         if (new_ttl < iph->ttl) {
|
| and remove the increase option to make it safe, but at the same time you
| loose a lot of the powers of this target so it may not be desireable to
| make this change..

But does a possible misconfiguration justify this?
Simply mark this match as "DANGEROUS" or make the 'Increase' optional.

You did not remove pointers from C, because you could do something wrong... :-)

Regards
~ Sven

- --
~ Sven Anders <anders@anduras.de>

~ ANDURAS service solutions AG
~ Innstraße 71 - 94036 Passau - Germany
~ Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032
Mitglieder des Vorstands: Sven Anders, Marcus Junker, Michael Schön
Vorsitzender des Aufsichtsrats: Dipl. Kfm. Karlheinz Antesberger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBkTx35lKZ7Feg4EcRAoRpAJ94zUx+/tTsbA37Nf7bcVrJAmrTiwCeIMvz
CeV532JzNgYKKFRK6U6CVu8=
=fU3Q
-----END PGP SIGNATURE-----

Re: New API / POM modules to merge....

[Henrik Nordstrom]

On Tue, 9 Nov 2004, Sven Anders wrote:

> But does a possible misconfiguration justify this?

In case of TTL yes, or at least that is the general concensus among all 
the netfilter developers.

I hope you understand why increases of the IP TTL is very dangerous to IP 
networking. If you want to compare with something else then a reasonable 
comparisation is a mail relay removing all Received lines while forwarding 
the messages, this is about as dangerous for much the same reasons.

The tool is there, but you need to work a little harder to get access to 
it. From experience it is known that if such tools are available in 
mainline then users who do not have a clue what they are doing will use it 
without understanding the implications or limitations of how such tool can 
be safely used.

Regards
Henrik

Re: New API / POM modules to merge....

[Patrick McHardy]

Henrik Nordstrom wrote:

> On Tue, 9 Nov 2004, Sven Anders wrote:
>
>> But does a possible misconfiguration justify this?
>
>
> In case of TTL yes, or at least that is the general concensus among 
> all the netfilter developers.
>
> I hope you understand why increases of the IP TTL is very dangerous to 
> IP networking. If you want to compare with something else then a 
> reasonable comparisation is a mail relay removing all Received lines 
> while forwarding the messages, this is about as dangerous for much the 
> same reasons.
>
> The tool is there, but you need to work a little harder to get access 
> to it. From experience it is known that if such tools are available in 
> mainline then users who do not have a clue what they are doing will 
> use it without understanding the implications or limitations of how 
> such tool can be safely used.

I think there is another reason. I simply can't see any reason
to actually use it. Of course I might be missing something.

Regards
Patrick

Re: New API / POM modules to merge....

[Sven Anders]

[-- Attachment #1: Type: text/plain, Size: 1311 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick McHardy wrote:
| Henrik Nordstrom wrote:
|
|> The tool is there, but you need to work a little harder to get access
|> to it. From experience it is known that if such tools are available in
|> mainline then users who do not have a clue what they are doing will
|> use it without understanding the implications or limitations of how
|> such tool can be safely used.
|
|
| I think there is another reason. I simply can't see any reason
| to actually use it. Of course I might be missing something.

Hide a firewall from a traceroute?
(But you did not need the increase function for it...)

Regards
~ Sven

- --
~ Sven Anders <anders@anduras.de>

~ ANDURAS service solutions AG
~ Innstraße 71 - 94036 Passau - Germany
~ Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032
Mitglieder des Vorstands: Sven Anders, Marcus Junker, Michael Schön
Vorsitzender des Aufsichtsrats: Dipl. Kfm. Karlheinz Antesberger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBkVJc5lKZ7Feg4EcRAi9NAJsFjsDTNaOWmgQDtzGUIjjbw1R53wCcDkhi
/ILIHrKTreS0kCHpYciea2s=
=REWg
-----END PGP SIGNATURE-----

Re: New API / POM modules to merge....

[Henrik Nordstrom]

On Wed, 10 Nov 2004, Patrick McHardy wrote:

> I think there is another reason. I simply can't see any reason
> to actually use it. Of course I might be missing something.

There is a couple of valid reasons such as to counter-measure ISP 
restrictions on link usage where the ISP enforces a single computer use 
policy by filtering on "normal" TTLs and thereby blocking users trying to 
share the link using a masquerading router (aka "broadband router"), but 
generally playing with the ttl in this manner is nonsense and there is 
other ways around such restrictions should it be needed.

Regards
Henrik

Re: New API / POM modules to merge....

[Patrick McHardy]

Sven Anders wrote:

> | I think there is another reason. I simply can't see any reason
> | to actually use it. Of course I might be missing something.
>
> Hide a firewall from a traceroute?
> (But you did not need the increase function for it...)

In my opinion this is entering the area of obscure security measures,
but it still is a reason, thanks :)

Regards
Patrick