Re: The NPF firewall leaks! (was Re: in_cksum: out of data)

To: Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost>
Subject: Re: The NPF firewall leaks! (was Re: in_cksum: out of data)
From: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Date: Thu, 8 Dec 2016 22:52:03 +0000

Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost> wrote:
> ...
> 
> It's fine and all, but I tend to think that the simplistic first version
> might automatically expand to the code in the second one.  In fact, the
> documentation seems to agree with me:
> 
>      By default, a stateful rule implies SYN-only flag check ("flags
>      S/SAFR") for the TCP packets.  It is not advisable to change this
>      behavior; however, it can be overridden with the flags keyword.
> 
> The code or the documentation needs to change.  I vote for the code.  :)

There is a difference between these two:

	pass stateful out final all
	pass stateful out final proto tcp all

The latter will generate an implicit "flags S/SAFR", while the former
will not as it covers non-TCP protocols too.  I agree that this is not
really intuitive and the documentation did not clarify this either.

-- 
Mindaugas

Follow-Ups:
- Re: The NPF firewall leaks! (was Re: in_cksum: out of data)
  - From: Tom Ivar Helbekkmo

References:
- in_cksum: out of data
  - From: Tom Ivar Helbekkmo
- Re: in_cksum: out of data
  - From: Tom Ivar Helbekkmo
- Re: in_cksum: out of data
  - From: Tom Ivar Helbekkmo
- Re: in_cksum: out of data
  - From: Christos Zoulas
- Re: in_cksum: out of data
  - From: Tom Ivar Helbekkmo
- Re: in_cksum: out of data
  - From: Tom Ivar Helbekkmo
- The NPF firewall leaks! (was Re: in_cksum: out of data)
  - From: Tom Ivar Helbekkmo

Prev by Date: Automated report: NetBSD-current/i386 build failure
Next by Date: daily CVS update output
Previous by Thread: Re: The NPF firewall leaks! (was Re: in_cksum: out of data)
Next by Thread: Re: The NPF firewall leaks! (was Re: in_cksum: out of data)
Indexes:

Home | Main Index | Thread Index | Old Index