tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Experiments with npf on -current

Zoltan Arnold NAGY wrote:
On Thu, Nov 24, 2011 at 5:07 AM, Darren Reed <> 
On 24/11/2011 12:13 AM, Zoltan Arnold NAGY wrote:
On Wed, Nov 23, 2011 at 5:55 AM, Jeremy C. Reed <> 
interest of progress.Remember that this is -CURRENT, where things like
this are *supposed* to happen?

As for me, I was glad Darren pointed this out. (In fact, I was quite
surprised when I read the followup acknowledging known buggy code living
in -current.)
We should suggest and even force that code known to be broken to be
reverted. (Well I think this is already true, but not happening?) (It
will be easier when we have a better revision control so many can work
easier on branches.)
When I committed the code, I did test it with both v4 and v6. Apart from the TCP
state engine bugs, I did not encounter any issues, that's why the commit.

Sorry if it got thru. I'll work with rmind@ on the weekend to fix these.
Let me summarise the email to which I responded to for the benefit
of yourself and others in a single sentence:

"The IPv6 merge introduced numerous security bugs."
Could you list non-NPF specific security bugs that were introduces?
I still yet to see a list.

Exactly what testing was done prior to the merge and how was it done?
Regular usage scenarios. No automated testing with a packet generator,
if that's what you're suggesting.

If we did introduce security holes even when npf is disabled, I sincerely
apologize; if we did not, then I seriously don't get your tone.

Because even if it is disabled by default, there's nothing stopping someone
from downloading -current today, using npf and falling victim to the bugs.

There's more reasoning but I just can't seem to put the thoughts and ideas
into coherant sentences (everything I try just comes out wrong).
My apologies for that.


Home | Main Index | Thread Index | Old Index