#3 Security bug in iptables management

[Laurent Licour]

Hello

I found a security problem in the way donitor and sonitor
manage iptables/ipchains
2 chains are added at the begining of the fw rules :
DKY_DWN & DKY_UP (for donitor). These rules seems to
be built automaticly after netstat analyze.
The goal of these rules seems to got real time network
statistics.

The problem is that these rules are also active rules, and
they don't just count packets.
In this case, some security rules (management of the
conntrack in the iptables...) never match to these
connections

You should replace in the update_rrd.pl script the traget
of these rules to a simple RETURN, rather than an
ACCEPT.

...
$filter -I DKY_DWN -j RETURN; \
$filter -I DKY_UP -j RETURN
...
my @data=grep(/RETURN/, qx($qstring));
...