Date: Fri, 8 Aug 2008 16:00:56 +0200 From: Marian Hettwer <mh@kernel32.de> To: freebsd-stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, thompsa@FreeBSD.ORG Subject: Re: should looking at an interface with 'ifconfig' trigger a?change ? Message-ID: <293d3dc9ebaee1119424aa58532d3c5d@localhost> In-Reply-To: <200808081318.m78DIaXJ017555@lurza.secnetix.de> References: <200808081318.m78DIaXJ017555@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Oliver, On Fri, 8 Aug 2008 15:18:36 +0200 (CEST), Oliver Fromme <olli@lurza.secnetix.de> wrote: > Andrew Thompson wrote: > > Pete French wrote: > > > > The bce driver is not properly generating link state events. > > > > > > OK, that explains why it doesnt failover - but why does looking at it > > > with ifconfig make a difference ? surely that should be 'read only ? > > > > ifconfig will cause the media status to be read from the hardware at > > which time the link change is generated as it is different to the > stored > > value. > > Shouldn't that be considered a security flaw? After all, > you can perform "ifconfig $IF" inside a jail to list the > interface configuration, but you're not allowed to make > any changes. > > Given your description above, it means that it is possible > to modify the interface configuration (cause a failover) > from within a jail. That's not good. I think that needs > to be fixed, or at the very least it needs to be properly > documented. > And regarding documentation. It should be documented, that lagg(4) won't work very well with bce(4). If it's nowhere documented that bce and failover with lagg doesn't work, some people might be screwed... Just my 0,02 cents ./Marian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?293d3dc9ebaee1119424aa58532d3c5d>