Re: NPF: TCP options

[Maxime Villard <max%m00nbsd.net@localhost>]

Le 13/03/2018 à 21:22, Mindaugas Rasiukevicius a écrit :
> Maxime Villard <max%m00nbsd.net@localhost> wrote:
> > Answering in this thread now, to prevent further confusions.
> >
> > Le 13/03/2018 à 00:23, Mindaugas Rasiukevicius a écrit :
> > > > So NPF's behavior should be aligned to that of the kernel; that is to
> > > > say, NPF should ignore TCP options with uncommon lengths - which does
> > > > not mean dropping the packet. (We can discuss about changing the
> > > > kernel's behavior to be that of NPF, but as I said in my answer to
> > > > Joerg, the kernel's behavior is the one that is the most "common".)
> > >
> > > Not exactly, no.  NPF is not a host/kernel.  It is a man in the middle,
> > > concerning packets sent by different hosts (which might have different
> > > TCP/IP implementations and applications).  It operates based on its own
> > > set of rules.
> >
> > It sounds like you didn't understand my point.
> >
> > I'm saying that the TCP-options behavior in the NetBSD kernel and NPF is
> > not the same. There is a divergence. Since there is a divergence, it is
> > possible to bypass the normalization procedures on TCP options (and along
> > with that, to lead to possibly unexpected behavior).
>
> So what?  You talk about differences in behaviour, but you fail to explain
> the reasons why any of this matters.

Read the very first email of this thread, I said what was wrong about not
looking at the length of the TCP options.

It matters because of bypasses, as I said only an hour ago in the mail you
just quoted.

> Let me repeat again: it is the NPF *rules* (well, overall configuration)
> [...]

This paragraph has nothing to do here, you are mixing with the other thread.