Maxim Ignatenko
2011-10-26 20:02:41 UTC
Hi,
Recently I've found one issue with pfil on FreeBSD: packets can be checked
twice in some conditions. Here is how it happens:
1) packet arrives on ip_input|ip_output, which calls pfil_run_hooks
2) pfil_run_hooks calls hooks one by one, until ipfw's hook sends packet to
divert/netgraph/dummynet and sets mbuf pointer to NULL
3) after processing in divert/netgraph/dummynet packet (possibly changed)
passed to ip_input|ip_output once more
ipfw adds mbuf_tag to track from which rule continue processing, but other
filters does not know that they already saw this packet and checks it again.
Is this problem affects NetBSD too or it's FreeBSD-specific and NetBSD avoids
this double checking in some way?
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Recently I've found one issue with pfil on FreeBSD: packets can be checked
twice in some conditions. Here is how it happens:
1) packet arrives on ip_input|ip_output, which calls pfil_run_hooks
2) pfil_run_hooks calls hooks one by one, until ipfw's hook sends packet to
divert/netgraph/dummynet and sets mbuf pointer to NULL
3) after processing in divert/netgraph/dummynet packet (possibly changed)
passed to ip_input|ip_output once more
ipfw adds mbuf_tag to track from which rule continue processing, but other
filters does not know that they already saw this packet and checks it again.
Is this problem affects NetBSD too or it's FreeBSD-specific and NetBSD avoids
this double checking in some way?
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de