Date: Tue, 21 Jan 2003 02:20:47 +0100 From: "Simon L. Nielsen" <simon@nitro.dk> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Sanity check in ipfw(8) Message-ID: <20030121012046.GG351@nitro.dk> In-Reply-To: <20030120165940.A65713@xorpc.icir.org> References: <20030121004353.GF351@nitro.dk> <20030120165940.A65713@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--tvOENZuN7d6HfOWU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.01.20 16:59:40 +0000, Luigi Rizzo wrote: > > I recently found a problem where ipfw2 would allow the user to create > > firewall rules that does not make sense like (notice udp and setup) : > here "not make sense" means "they will never match any packet". Yes - i should properly have written that. > Now, no matter which checks you implement on a single rule, you can > still generate sequences of rules that never match any traffic. E.g. Yes I know it is not possible to make it catch all eventualities. > No, i don't think it is useful to have extra sanity check in userland, > both for the above reason, and because these checks can be bypassed > using directly the kernel ABI. >=20 > There _are_ sanity checks in the kernel but these are only meant > to avoid crashing the box by pushing in random configurations. If > a rule matches no packets, tough -- it is not a problem of the firewall > per se and it does not cause the box to break. Ok - the extra check was only to make the user aware simple errors (that ipfw1 did not allow). If you don't think the checks should be there then I can live with that so the PR can be closed. --=20 Simon L. Nielsen --tvOENZuN7d6HfOWU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+LKBu8kocFXgPTRwRAru0AKC33mu6QDZVqvak5GF5qs9eXnmdwQCgl+Aw j3We+m4RkEDuIxejZPJQ9pI= =CYL5 -----END PGP SIGNATURE----- --tvOENZuN7d6HfOWU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030121012046.GG351>