git://ftp.safe.ca / safe / jmp / linux-2.6 / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a7d5173) | patch
netfilter: xtables: check for unconditionality of policies
authorJan Engelhardt <jengelh@medozas.de>
Thu, 9 Jul 2009 20:54:53 +0000 (22:54 +0200)
committerJan Engelhardt <jengelh@medozas.de>
Mon, 10 Aug 2009 11:35:29 +0000 (13:35 +0200)
commit90e7d4ab5c8b0c4c2e00e4893977f6aeec0f18f1
tree81951e3cb17713cd0cedfec9d4d3823d3fe264f5tree | snapshot
parenta7d51738e757c1ab94595e7d05594c61f0fb32cecommit | diff
netfilter: xtables: check for unconditionality of policies

This adds a check that iptables's original author Rusty set forth in
a FIXME comment.

Underflows in iptables are better known as chain policies, and are
required to be unconditional or there would be a stochastical chance
for the policy rule to be skipped if it does not match. If that were
to happen, rule execution would continue in an unexpected spurious
fashion.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
net/ipv4/netfilter/arp_tables.c diff | blob | history
net/ipv4/netfilter/ip_tables.c diff | blob | history
net/ipv6/netfilter/ip6_tables.c diff | blob | history
Full containers within linux kernel