Is panic() the way to handle errors in pf?
Kristof Provost
kp at FreeBSD.org
Wed Aug 2 08:03:24 UTC 2017
On 1 Aug 2017, at 11:30, Kajetan Staszkiewicz wrote:
> Hey, group.
>
> A thought came to me: is it really the best thing to panic when errors are
> encountered within pf? I understand there are situations where it is safer for
> the kernel to not continue running like some low-level operations in memory
> allocator or filesystems. But a firewall? Especially that a firewall handles
> packets coming from the Interent which can be arbitrarily crafted.
>
pf does not use panic() to handle bad packets, but to handle **impossible** situations.
Basically, what you see here are assertions (go count KASSERT() too), not error paths.
If it were possible to trigger such a panic by sending a bad packet it would be a bug, yes, but that’s not what’s happening here. These panics document invariants. They are assertions.
Once the impossible has happened there’s no sane way for the system to continue. It would be irresponsible to even try.
Removing them would make pf **more** vulnerable to exploitation, not less.
Regards,
Kristof
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20170802/2913d382/attachment.sig>
More information about the freebsd-pf
mailing list