On Wed, Nov 09, 2005 at 02:21:42AM +0100, Pablo Neira wrote: > Harald Welte wrote: > > [NETFILTER] nfnetlink: only load subsystems if CAP_NET_ADMIN is set > > > > Without this patch, any user can cause nfnetlink subsystems to be > > autoloaded. Those subsystems however could add significant processing > > overhead to packet processing, and would refuse any configuration messages > > from non-CAP_NET_ADMIN processes anyway. > > > > This patch follows a suggestion from Patrick McHardy. > > If this patch gets applied, we'll have to cook another patch to kill the > capability checking based on callbacks (nfnl_callback) that we currently > use, right?
no. There are two different issues: 1) CAP_NET_ADMIN required for autoloading a nfnetlink subsystem 2) the capabilities based on callbacks for individual messages They can coexist quite nicely. Whether we decied to get rid of '2' is therefore a completely different question. -- - Harald Welte <[EMAIL PROTECTED]> http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
pgpAywuZ2NBZC.pgp
Description: PGP signature
