From mboxrd@z Thu Jan 1 00:00:00 1970 From: Henrik Nordstrom Subject: Re: New API / POM modules to merge.... (was: Unique rule ID?!) Date: Tue, 9 Nov 2004 20:09:07 +0100 (CET) Message-ID: References: <20041108134743.217B817BE5@grasshopper.anduras.de> <418FD708.3030302@anduras.de> <4190E80C.8020106@anduras.de> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: netfilter-devel@lists.netfilter.org Return-path: To: Sven Anders In-Reply-To: <4190E80C.8020106@anduras.de> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org On Tue, 9 Nov 2004, Sven Anders wrote: > | The API is being redesigned in pkttables. > > Is there documentation for the new API available? It is "currently" being designed from what I know. Harald? > Some question: > > ~ 1. "TTL or HOPLIMIT: no, it's dangerous" > > ~ Why? Don't use it, if it's dangerous - or does it crash the kernel? It (TTL) in it's current form violates fundamental aspects of IP, easily allowing the administrator to "accidently" create configurations which will crash the network. In case of the TTL match it should be sufficient to change if (new_ttl != iph->ttl) { to if (new_ttl < iph->ttl) { and remove the increase option to make it safe, but at the same time you loose a lot of the powers of this target so it may not be desireable to make this change.. Regards Henrik