Date: Tue, 21 Jan 2003 02:20:47 +0100 From: "Simon L. Nielsen" <simon@nitro.dk> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Sanity check in ipfw(8) Message-ID: <20030121012046.GG351@nitro.dk> In-Reply-To: <20030120165940.A65713@xorpc.icir.org> References: <20030121004353.GF351@nitro.dk> <20030120165940.A65713@xorpc.icir.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 2003.01.20 16:59:40 +0000, Luigi Rizzo wrote: > > I recently found a problem where ipfw2 would allow the user to create > > firewall rules that does not make sense like (notice udp and setup) : > here "not make sense" means "they will never match any packet". Yes - i should properly have written that. > Now, no matter which checks you implement on a single rule, you can > still generate sequences of rules that never match any traffic. E.g. Yes I know it is not possible to make it catch all eventualities. > No, i don't think it is useful to have extra sanity check in userland, > both for the above reason, and because these checks can be bypassed > using directly the kernel ABI. > > There _are_ sanity checks in the kernel but these are only meant > to avoid crashing the box by pushing in random configurations. If > a rule matches no packets, tough -- it is not a problem of the firewall > per se and it does not cause the box to break. Ok - the extra check was only to make the user aware simple errors (that ipfw1 did not allow). If you don't think the checks should be there then I can live with that so the PR can be closed. -- Simon L. Nielsen [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+LKBu8kocFXgPTRwRAru0AKC33mu6QDZVqvak5GF5qs9eXnmdwQCgl+Aw j3We+m4RkEDuIxejZPJQ9pI= =CYL5 -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030121012046.GG351>