Re: NPF: fast kick

To: Maxime Villard <max%m00nbsd.net@localhost>
Subject: Re: NPF: fast kick
From: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Date: Thu, 8 Mar 2018 14:28:13 +0200

Hi,

Please CC me when proposing NPF patches and please leave some extra time
for response.

Maxime Villard <max%m00nbsd.net@localhost> wrote:
> Currently, NPF does not immediately kick malformed packets, and performs
> very few sanity checks. Here is a patch [1] that fixes that.
> <...>

There are a few important points:

- There is a good reason for NPF to be *able* to behave as a silent
observer.  It can be used for deep packet inspection, packet analysis,
accounting, etc.  Hence the reason why NPF performs minimalistic sanity
checks.  Please do not assume that the only mode of operation for NPF
is a traditional firewall.

- Having said that, we should certainly have an option (and I agree it
should be on by default) to perform extensive sanity checks and block
anything unusual.  Just please make it a run-time *option* (for now, a
config-level variable will do, and later I will make it changeable via
npf.conf).

- It is better to keep a logical separation between the packet handler
which performs minimalistic sanity checks (just to extract the needed
information for NPF, e.g. populate the npf_cache_t structure) and the
function which performs a thorough validation.  So, can you please
introduce something like npf_deep_validate() (with an option to skip
it) where you abstract thorough protocol-level checks.

Thanks.

-- 
Mindaugas

Follow-Ups:
- Re: NPF: fast kick
  - From: Maxime Villard

References:
- NPF: fast kick
  - From: Maxime Villard

Prev by Date: Re: NPF: TCP options
Next by Date: Re: NPF: TCP options
Previous by Thread: NPF: fast kick
Next by Thread: Re: NPF: fast kick
Indexes:

Home | Main Index | Thread Index | Old Index