On Fri, Dec 29, 2000 at 11:24:59PM +1100, Darren Reed wrote:

 > But quite secure given that they can't be deleted.  Well, you can insert
 > in front of said rules but some flexibility won't go astray.  As for it
 > being safe, well, it may not get validated but the automatically generated
 > code is otherwise just as `safe' as any other kernel C code.

...right, for the "statically compiled into the kernel" type rules,
they're just as safe as any other code statically compiled into the
kernel.  But having to reboot to adjust rules is just not acceptable
in many applications.

 > > the latter is generally considered unsafe.
 > 
 > Unsafe by who ?  Lots of people build good firewalls on Solaris.
 > Whether object code gets loaded into the kernel at runtime, bootup
 > or generated on the fly, for it to get there in the first place
 > implies that someone trusts that mechanism.

Well, I'm not building firewalls on Solaris, am I? :-)  I think it's
fair to say that there are plenty of folks who don't like the idea of
loading arbitrary object code into the kernel of a firewall machine.

 > Whilst bpf_validate() checks bytecode, what checks the resulting
 > object code for correctness ?

Regression testing on the synthesizer.

The point it is BPF bytecode that is being loaded into the kernel, the
kernel then validates that the bytecode is safe (no infinite loops, no
jumping to outside the bytecode program's boundaries, etc.), and then
the kernel takes this trusted bytecode and translates it into object
code.  The kernel doesn't get object code (which it would not be able
to easily verify) loaded into it.

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>