kern/164402: [pf] pf crashes with a particular set of rules when
first matching packet arrives
Gleb Smirnoff
glebius at FreeBSD.org
Tue Apr 17 09:48:27 UTC 2012
Replying on only on paragrapg, everything else agreed.
On Tue, Apr 17, 2012 at 11:33:27AM +0200, Ermal Lu?i wrote:
E> The only problem i might see is when running more than one firewall
E> together but still there are other issues when you do that at pfil(9)
E> level.
Well, playing with two firewalls was never safe and clear, there always
be edge cases in such setups.
E> Also, if_simloop is not meant for packet leaving the host so that
E> should be safe no?
Shouldn't live, but it still enters pfil(9) and there one or other
firewall can again bounce it in any direction. Probable M_SKIP_FIREWALL
is good idea.
--
Totus tuus, Glebius.
More information about the freebsd-pf
mailing list