Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Sep 2012 21:42:47 +0200
From:      =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>
To:        Gleb Smirnoff <glebius@freebsd.org>
Cc:        Sergey Kandaurov <pluknet@freebsd.org>, freebsd-pf@freebsd.org
Subject:   Re: svn commit: r240646 - head/sys/contrib/altq/altq
Message-ID:  <CAPBZQG2NLhCUQ9314Nn0nJvVqEo3T%2BPnwhhuDP-hw5A0=hbeNA@mail.gmail.com>
In-Reply-To: <20120918161516.GG85604@glebius.int.ru>
References:  <201209181234.q8ICYaFB091109@svn.freebsd.org> <CAE-mSOJFHSSTmOBYYqUQkF3s_zK4aGTz2GXZWRo-ZfzJmhZazQ@mail.gmail.com> <CAPBZQG3JbsCOMAvYrOjVyRhbS6pfWxnyoaaMO8B%2BHp=pUdXk_A@mail.gmail.com> <20120918161516.GG85604@glebius.int.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Sep 18, 2012 at 6:15 PM, Gleb Smirnoff <glebius@freebsd.org> wrote:
>   Ermal,
>
> On Tue, Sep 18, 2012 at 06:02:06PM +0200, Ermal Lu?i wrote:
> E> The issue is that this hides the problem per se.
>
> What had hidden problem per se, was the following code:
>
>                         PF_UNLOCK();
>                         error = altq_add(a2);
>                         PF_LOCK();
>
> That's what we have in stable/9.
>
> E> The ioctl and pfctl loading of ruleset is not ready for handling failures here!
>
> They do. Error from altq_add() is returned by pf_ioctl() as response
> to DIOCADDALTQ command. The code in pfctl, which does DIOCADDALTQ also
> is handling errors.

The issue is that you will fail a ruleset loading now that before
could not fail.
You need to teach pfctl that is ok if ALTQ ruleset load fails now, no?

I think the most important thing in ruleset loading is the rules than
comes ALTQ.
Since ALTQ failure is tolerable and the risk from that faling is low!
Its better to do a best effort loading of ruleset
and just report where it failed?

You just committed a 'questionable' patch for default block, just for
security, though
break that contract by making security depend on unpredictable behaviour!
Am i missing something here? Review of things before implementation?

>
> --
> Totus tuus, Glebius.

-- 
Ermal

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG2NLhCUQ9314Nn0nJvVqEo3T%2BPnwhhuDP-hw5A0=hbeNA>