Date: Tue, 17 Apr 2012 13:48:25 +0400 From: Gleb Smirnoff <glebius@FreeBSD.org> To: Ermal Lu?i <eri@FreeBSD.org> Cc: freebsd-pf@FreeBSD.org Subject: Re: kern/164402: [pf] pf crashes with a particular set of rules when first matching packet arrives Message-ID: <20120417094825.GC99119@glebius.int.ru> In-Reply-To: <CAPBZQG0ujzB%2B7xTFpvhjRVbrtBEeABXHeKDx-WjbSOaAWX0-sA@mail.gmail.com> References: <201204151200.q3FC0LT5085161@freefall.freebsd.org> <20120416185949.GC92286@FreeBSD.org> <CAPBZQG2Tjg36GNCBetRZ20FhQnL1sK9i_-oQDDb97bcb4N=sLA@mail.gmail.com> <20120417081406.GA93887@glebius.int.ru> <CAPBZQG2gF8GSx6eE4jkFuOf29c-jB09Gz6=%2BkbpXprN8XiEE4w@mail.gmail.com> <20120417084608.GA99119@glebius.int.ru> <CAPBZQG0ujzB%2B7xTFpvhjRVbrtBEeABXHeKDx-WjbSOaAWX0-sA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Replying on only on paragrapg, everything else agreed. On Tue, Apr 17, 2012 at 11:33:27AM +0200, Ermal Lu?i wrote: E> The only problem i might see is when running more than one firewall E> together but still there are other issues when you do that at pfil(9) E> level. Well, playing with two firewalls was never safe and clear, there always be edge cases in such setups. E> Also, if_simloop is not meant for packet leaving the host so that E> should be safe no? Shouldn't live, but it still enters pfil(9) and there one or other firewall can again bounce it in any direction. Probable M_SKIP_FIREWALL is good idea. -- Totus tuus, Glebius.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120417094825.GC99119>