Re: NPF: fast kick

To: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Subject: Re: NPF: fast kick
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Tue, 13 Mar 2018 21:05:03 +0100

Le 13/03/2018 à 20:48, Mindaugas Rasiukevicius a écrit :

Maxime Villard <max%m00nbsd.net@localhost> wrote:

The change I made was exactly your first sentence: perform minimum sanity
checks, to ensure the basic operation of NPF. If the basic operation
cannot be assured, then fast-kick the packet.

If you pass the packet to the ruleset machinery, things can go wrong,
because the basic operation of the machinery cannot be assured.


And why not?


Because the stateful-inspection/ruleset-machinery/JIT-code/etc use the values
that were constructed when parsing the packet. If these values are wrong,
correctness of the operations is not ensured.

Follow-Ups:
- Re: NPF: fast kick
  - From: Mindaugas Rasiukevicius

References:
- NPF: fast kick
  - From: Maxime Villard
- Re: NPF: fast kick
  - From: Mindaugas Rasiukevicius
- Re: NPF: fast kick
  - From: Maxime Villard
- Re: NPF: fast kick
  - From: Mindaugas Rasiukevicius
- Re: NPF: fast kick
  - From: Maxime Villard
- Re: NPF: fast kick
  - From: Mindaugas Rasiukevicius
- Re: NPF: fast kick
  - From: Maxime Villard
- Re: NPF: fast kick
  - From: Mindaugas Rasiukevicius

Prev by Date: Re: NPF: fast kick
Next by Date: Re: NPF: TCP options
Previous by Thread: Re: NPF: fast kick
Next by Thread: Re: NPF: fast kick
Indexes:

Home | Main Index | Thread Index | Old Index