FreeBSD Mail Archives

Max Laier max at
Sun Aug 19 09:31:58 PDT 2007

On Sunday 19 August 2007, Dmitry Pryanishnikov wrote:
> Hello!
> > Date:      Sat, 4 Aug 2007 20:35:42 +0000 (UTC)
> > From:      "Christian S.J. Peron" <csjp at>
> > To:        src-committers at, cvs-src at,
> > cvs-all at Subject:   cvs commit: src/sbin/ipfw ipfw.8
> > Message-ID:  <200708042035.l74KZg6K061244 at>
> >  csjp        2007-08-04 20:35:42 UTC
> >
> >   FreeBSD src repository
> >
> >   Modified files:
> >     sbin/ipfw            ipfw.8
> >   Log:
> >   Remove references to mpsafenet. This option no longer exists.
>   I think this commit may create false feeling that using ipfw features
> such as gid, jail, uid and dummynet for IPv6 are now available for
> general use. However, I don't see commit messages for the locking fixes
> which would make these options safe. If I don't miss anything here,
> removal of the debug.mpsafenet makes all these ipfw uses always
> dangerous, so this fact should be mentioned in BUGS section of the
> manpage (until someone actually fixes those uses).

As discussed before the removal of mpsafenet, the LOR reported for uid, 
gid and jail rules is a false positive!  There is no danger (of deadlock) 
from using these rules.

I'd still discourage the use of these options as they don't always do what 
people expect.  The right sollution is a MAC based filter in the socket 
layer.  Although it does !sometimes! make sense to drop/accept packets 
early.  Esp. with protocols like ftp or sip it can be helpful, but one 
should still be aware of the implications.

/"\  Best regards,                      | mlaier at
\ /  Max Laier                          | ICQ #67774661
 X  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part.
Url :

More information about the cvs-src mailing list