On Thu 15 Jun 2023 at 09:12:02 -0500, David Young wrote: > On Tue, Jun 13, 2023 at 02:16:26PM +0200, Martin Husemann wrote: > > Me too. A sysctl is slightly expensive (at various scales) and IMHO > > simply not needed here. A kernel config option to restore the old > > behaviour would be OK, but I'd like to avoid that too. > > I had a glance at in_canforward and the places where it is used, and it > sure looks like policy that was made into mechanism. > > Instead of adding a kernel config option or sysctl, wouldn't it be > simplest to add REJECT routes for the relevant ranges at boot, or not, > based on a setting in rc.conf? I was thinking along the lines of: if a sysctl check (of some address validity) would get in the way of the fast path, then that particular check could be left the same. In the slow path (the failure case), it could then check the sysctl and possibly consider the address valid anyway. With a scheme like this, the run time costs are only incurred if somebody actually uses the "new" addresses. -Olaf. -- ___ Olaf 'Rhialto' Seibert <rhialto/at/falu.nl> \X/ There is no AI. There is just someone else's work. --I. Rose
Attachment:
signature.asc
Description: PGP signature