[ On , May 16, 2000 at 17:15:24 (-0700), Wolfgang Rupprecht wrote: ]
> Subject: Re: kern/10134: ipfilter with careless ICMP rules will send ICMP in response to ICMP
>
> Personally I'd like to see as little policy in the code as possible
> and just put a big fat note in the ipfilter documentation that says
> always precede a return-icmp with a test for the error-icmp's and
> silently drop them.

I don't like that idea -- for the same reason I wouldn't want to write
security code in assembler any more.  That's the kind of missing feature
which makes something a *lot* harder to use than necessary.

It would be one thing if there was already a high-level compiler that
could generate all these messy details but I've not encountered anything
even remotely capable of doing this for IP Filter.  (Mabye "FCT" could
be taught to do it, but it isn't a standard part of the NetBSD or of
ipf, or even pkgsrc) distributions either.)

In this particular case there's really only one "right" thing to do and
I don't see any harm in hard-coding it into the kernel.  It would be
nice to intstrument this of course (i.e. in the same automatic way such
that one didn't have to manually add equivalent rules to do the
counting!).

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>