[Cerowrt-devel] Fwd: [uknof] CVE-2014-0160 mitigation using iptables

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Apr 9 11:41:20 EDT 2014

On Wed, 09 Apr 2014 08:18:23 -0700, Dave Taht said:
> It is not clear if this could be used to protect things inside the
> firewall (switching to a forward rather than input table), nor if it
> could be used with ipv6.

It will require adjusting the 52= in the rule, but otherwise should be
OK for IPv6.

For that matter, the ruleset as given is probably busticated when IP or TCP
options are present, because it assumes a hard-coded offset.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140409/b128c306/attachment.sig>

More information about the Cerowrt-devel mailing list