On Mon, 9 Jul 2007 18:50:27 -0400 (EDT) James Morris <[EMAIL PROTECTED]> wrote:
> On Mon, 9 Jul 2007, Tetsuo Handa wrote: > > > It drops messages from unwanted IP address/ports. > > (To be exact, it doesn't drop, it just tells userland process > > not to use received messages by returning errors.) > > This is broken. > > You need to properly fail the network operation and ensure that the peers > are appropriately notified using the standard failure paths, not just > arbitrarily propagate errors to the local user. Isn't it better to hook into existing netfilter infrastructure somehow? Just filtering by ports or IP addresses is tip of bigger security isolation issues. -- Stephen Hemminger <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
