Subject: Re: upgrading ipfilter (was: patch for limiting MSS)
To: NetBSD Networking Technical Discussion List <>
From: Michael Richardson <>
List: tech-net
Date: 12/07/2001 23:33:46
>>>>> "David" == David Laight <> writes:
    David> Seems to me a lot of the hardware device drivers could be loadable,
    David> and much of the network stack.  Makes developing / testing new drivers
    David> easier - and enforces binary compatibility on you, not a bad
    David> thing.

  I guess that explains why non-technical Linux users are so successful at
upgrading their kernels. (:-| for the sarcasm impared)

  Loadable modules are a nightmare of version control and security.

    David> The loadable driver is no more likely to be compromised than the file
    David> containing the filter rules....

  Not true.
  We have multiple ways of protecting against things based upon securitylevels.

  But, if you insist on loading modules after leaving single user mode, then
all bets are off. If you are happy to load all of the modules during boot
time, then you still have to reboot to change hardware. (or at least, "kill 1")

    >> but that doesn't really solve the problem.  You have to
    >> update the ipfilter user tools and ipfilter kernel code in sync,
    >> regardless of how the latter is loaded/linked into the kernel you run.

    David> Not if the interface to the updated filter code is binary compatible
    David> with the old version.  Maybe the 'new' userspace programs know how to
    David> load the 'new' or 'old' drivers, possibly with different rules....

  This is a nice goal, period. It has nothing to do with modules though.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [