Re: Experiments with npf on -current

[Zoltan Arnold NAGY <zoltan.arnold.nagy%gmail.com@localhost>]

On Thu, Nov 24, 2011 at 5:07 AM, Darren Reed <darrenr%netbsd.org@localhost> 
wrote:
> On 24/11/2011 12:13 AM, Zoltan Arnold NAGY wrote:
>> On Wed, Nov 23, 2011 at 5:55 AM, Jeremy C. Reed 
>> <reed%reedmedia.net@localhost> wrote:
>>>> interest of progress.Remember that this is -CURRENT, where things like
>>>> this are *supposed* to happen?
>>>
>>>
>>> As for me, I was glad Darren pointed this out. (In fact, I was quite
>>> surprised when I read the followup acknowledging known buggy code living
>>> in -current.)
>> [...]
>>> We should suggest and even force that code known to be broken to be
>>> reverted. (Well I think this is already true, but not happening?) (It
>>> will be easier when we have a better revision control so many can work
>>> easier on branches.)
>>
>> When I committed the code, I did test it with both v4 and v6. Apart from the 
>> TCP
>> state engine bugs, I did not encounter any issues, that's why the commit.
>>
>> Sorry if it got thru. I'll work with rmind@ on the weekend to fix these.
>
> Let me summarise the email to which I responded to for the benefit
> of yourself and others in a single sentence:
>
> "The IPv6 merge introduced numerous security bugs."
Could you list non-NPF specific security bugs that were introduces?
I still yet to see a list.

> Exactly what testing was done prior to the merge and how was it done?
Regular usage scenarios. No automated testing with a packet generator,
if that's what you're suggesting.

If we did introduce security holes even when npf is disabled, I sincerely
apologize; if we did not, then I seriously don't get your tone.
I'm not a half-wit, so I can perfectly follow the conversation so far,
thank you.

Zoltan