Re: NPF: fast kick

To: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Subject: Re: NPF: fast kick
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Tue, 13 Mar 2018 20:20:35 +0100

Le 13/03/2018 à 00:23, Mindaugas Rasiukevicius a écrit :

 [...]


I think our disagreement/misunderstanding comes down to this paragraph:

- NPF should perform minimum sanity checks to be able to read the basic
L3 payload from the packet for its own operation (-- I don't think we have
a disagreement here).  However, generally, the *default rule* decides
whether unrecognizable (or malformed) packets are passed or not; this is
more or less how other packet filters work too.


The change I made was exactly your first sentence: perform minimum sanity
checks, to ensure the basic operation of NPF. If the basic operation cannot
be assured, then fast-kick the packet.

If you pass the packet to the ruleset machinery, things can go wrong, because
the basic operation of the machinery cannot be assured.

Maxime

Follow-Ups:
- Re: NPF: fast kick
  - From: Mindaugas Rasiukevicius

References:
- NPF: fast kick
  - From: Maxime Villard
- Re: NPF: fast kick
  - From: Mindaugas Rasiukevicius
- Re: NPF: fast kick
  - From: Maxime Villard
- Re: NPF: fast kick
  - From: Mindaugas Rasiukevicius
- Re: NPF: fast kick
  - From: Maxime Villard
- Re: NPF: fast kick
  - From: Mindaugas Rasiukevicius

Prev by Date: Re: Adding packet filtering to tun interfaces
Next by Date: Re: NPF: TCP options
Previous by Thread: Re: NPF: fast kick
Next by Thread: Re: NPF: fast kick
Indexes:

Home | Main Index | Thread Index | Old Index