Subject: Re: New IP filter code
To: Jason Thorpe <email@example.com>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
Date: 04/01/1997 17:34:09
Jason Thorpe <firstname.lastname@example.org> writes:
>On Tue, 01 Apr 1997 17:07:56 -0800
> Jonathan Stone <jonathan@DSG.Stanford.EDU> wrote:
> > Executive summary:
> > The [sic] fix in NetBSD's ip_fil is perceived by security-weenies
> > as a security flaw.
> > So, how about this: we add a hook to ip_fil'sn pseudo-device attach
> > routine, to turn on filtering, so those that rely on the old semantics
> > get it by default; and we add a config option that turns off that
> > call, so those who need to configure fail-open can do so.
>>So, your "old semantics" argument isn't even really valid, given
>>how it actually worked.
t's how it worked in ip_fil 2.8.2 through 3.1.whatever.
'm still running a couple of pre-integration versions.
>What you can do, however, to get the semantics you want, is to put:
> /sbin/ipf -E
>first in /etc/rc.
No, that's **not** the semantics I want. Do you really not see the