Re: problem regarding new lsm hooks

From: Valdis.Kletnieks@private
Date: Mon Sep 26 2005 - 20:20:01 PDT


On Mon, 26 Sep 2005 14:37:55 PDT, umesh chandak said:

Incidentally, what sort of filtering did you intend to do with this hook that
can't already be done with iptables?

> 	  3)Ethereal shows the correct result (does not
> capture ICMP reply packets)
>             for both wired and wireless network.

It's *highly* debatable whether this is a "correct" result.

Ethereal is a *debugging* tool.  Consider the following scenarios:

1) A ping from a remote machine doesn't work.  Ethereal on the target doesn't
show any inbound or outbound ICMP.

2) A ping from a remote machine doesn't work.  Ethereal on the target doesn't
show any inbound or outbound ICMP.

3) A ping from a remote machine doesn't work.  Ethereal on the target doesn't
show any inbound or outbound ICMP.

Confused?  I thought so.  What the 3 cases *should* have been:

1) A ping from a remote machine doesn't work.  Ethereal on the target doesn't
show any inbound or outbound ICMP.  You now know that the ICMP packet never
arrived, and can start debugging the inbound path (filters at firewalls,routers, etc).

2) A ping from a remote machine doesn't work.  Ethereal on the target shows
an inbound ICMP, but no outbound.  You now know the target machine is dropping
the ball (most likely an ifconfig/route/iptables issue).

3) A ping from a remote machine doesn't work.  Ethereal on the target shows
an inbound and outbound ICMP.  You now know the problem is on the return path.

Of course, it's your machine, and GPL code, so you're certainly permitted to
create software that launches projectiles at your own feet... :)





This archive was generated by hypermail 2.1.3 : Mon Sep 26 2005 - 20:20:54 PDT