FreeBSD Mail Archives
max at love2party.net
Sun Aug 19 09:31:58 PDT 2007
On Sunday 19 August 2007, Dmitry Pryanishnikov wrote:
> > Date: Sat, 4 Aug 2007 20:35:42 +0000 (UTC)
> > From: "Christian S.J. Peron" <csjp at FreeBSD.org>
> > To: src-committers at FreeBSD.org, cvs-src at FreeBSD.org,
> > cvs-all at FreeBSD.org Subject: cvs commit: src/sbin/ipfw ipfw.8
> > Message-ID: <200708042035.l74KZg6K061244 at repoman.freebsd.org>
> > csjp 2007-08-04 20:35:42 UTC
> > FreeBSD src repository
> > Modified files:
> > sbin/ipfw ipfw.8
> > Log:
> > Remove references to mpsafenet. This option no longer exists.
> I think this commit may create false feeling that using ipfw features
> such as gid, jail, uid and dummynet for IPv6 are now available for
> general use. However, I don't see commit messages for the locking fixes
> which would make these options safe. If I don't miss anything here,
> removal of the debug.mpsafenet makes all these ipfw uses always
> dangerous, so this fact should be mentioned in BUGS section of the
> manpage (until someone actually fixes those uses).
As discussed before the removal of mpsafenet, the LOR reported for uid,
gid and jail rules is a false positive! There is no danger (of deadlock)
from using these rules.
I'd still discourage the use of these options as they don't always do what
people expect. The right sollution is a MAC based filter in the socket
layer. Although it does !sometimes! make sense to drop/accept packets
early. Esp. with protocols like ftp or sip it can be helpful, but one
should still be aware of the implications.
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20070819/7efcae67/attachment.pgp
More information about the cvs-src