Hi there,
>Looking at the ipf code (3.4.9, the one inclued in NetBSD 1.5), it looks
>like an entry is added to the decision cache only if the packet
>matches a rule with 'keep state' or 'keep frags'. So a ruleset without
>any 'keep state'/'keep frags' should not be vulnerable.
>Or did I miss something ?
For the packet filtering code you are perfectly right. The advisory should
have said so. Still, the NAT code seems to also add entries to the decision
cache. Unfortunately I do not currently have the time to take a closer look
at the NAT code, so I do not know about the implications of this for packet
filtering.
If you find anything interesting in there let us know. :-)
-Thomas
