On Thu, Apr 29, 2010 at 4:24 PM, Wesley W. Terpstra <wes...@terpstra.ca> wrote: > Drama aside, I'm glad someone finally figured this out. From what I > understand these are the scenarios: > 1) End-user system with no IP-forwarding: works because ip_conntrack doesn't > exist
correct > 2) Firewall with no local IRC clients: works because ip_conntrack exists and > there's no need to check the local TCP connections. wrong, see below > 3) System with IP connection tracking enabled AND an IRC client: *fails* > because it sees its own connection in ip_conntrack, thus forwarding to > itself. semi-correct: IRC is not the problem here, any service that triggers a ident lookup will also fail. Includes local ftp client, local MTA, etc... > The fix works because it checks for a local connection before seeing if it > needs to be forwarded. An obvious mistake, if you can reproduce it. right > Does this summarize the problem? So to be able to reproduce this problem > (which I've said before I couldn't), I need to setup a system like scenario > #3. correct > I'll try this now and see if I can make the problem appear and then > disappear. Cool, thx! > As far as the 'security concerns' about this patch, I can't see much of a > problem. It simply moves existing code a bit earlier. It also makes logical > sense; one should always test for the base-case (termination) in a recursive > algorithm before the recursive step. Indeed. HTH -- Thibaut VARENE http://www.parisc-linux.org/~varenet/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
