From owner-freebsd-security  Thu Nov  5 19:45:00 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA11359
          for freebsd-security-outgoing; Thu, 5 Nov 1998 19:45:00 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA11351
          for <freebsd-security@FreeBSD.ORG>; Thu, 5 Nov 1998 19:44:58 -0800 (PST)
          (envelope-from archie@whistle.com)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id TAA16584; Thu, 5 Nov 1998 19:44:47 -0800 (PST)
Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3)
	id sma016577; Thu Nov  5 19:44:38 1998
Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id TAA20295; Thu, 5 Nov 1998 19:44:38 -0800 (PST)
From: Archie Cobbs <archie@whistle.com>
Message-Id: <199811060344.TAA20295@bubba.whistle.com>
Subject: Re: Amazing wonder packet Part 2.
In-Reply-To: <Pine.BSF.3.96.981105103648.5251A-100000@fledge.watson.org> from Robert Watson at "Nov 5, 98 10:42:10 am"
To: robert+freebsd@cyrus.watson.org
Date: Thu, 5 Nov 1998 19:44:38 -0800 (PST)
Cc: freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL38 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Robert Watson writes:
> I also raised the question: are packets ever queued after acceptance by
> ipfw such that they could be received later if the port is not yet bound?
> For example, suppose ipfw in a nascent or under-developed state accepts a
> packet, and then later named is started -- is it possible through any race
> conditions that the packet accepted earlier will make it to named later?

Unless you are using divert(4) rules, etc, all ipfw rules apply
"atomically" to each packet... there's no possibility of adding/removing
rules and applying of rules intersecting (reason: splnet()).
Also, ipfw does not hold on to any packets. The only possible
exception is a fragmented packet.. you could get one fragment,
then change a rule, then get another..

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message