* Theo de Raadt dera...@cvs.openbsd.org [2013-11-15 01:38]:
My diff was on tech@ for one day during a hackathon before I commited it.
NOT hidden / circulated privately.
The reasons why I removed the check in the stack are:
- Scanning headers in the forwarding path is against the spirit of
On Thu, Nov 14, 2013 at 05:38:14PM -0700, Theo de Raadt wrote:
Beautiful.
I seems there was enough discussion. The Security argument is more
important than the others. The new diff has no performance impact
when pf is turned on.
So I need OKs.
bluhm
Index: net/pf.c
On 15 November 2013 15:08, Alexander Bluhm alexander.bl...@gmx.net wrote:
On Thu, Nov 14, 2013 at 05:38:14PM -0700, Theo de Raadt wrote:
Beautiful.
I seems there was enough discussion. The Security argument is more
important than the others. The new diff has no performance impact
when pf
On Thu, Nov 14, 2013 at 4:27 AM, Alexander Bluhm
alexander.bl...@gmx.net wrote:
On Fri, Oct 18, 2013 at 08:45:02PM +0200, Alexander Bluhm wrote:
Our IPv6 stack scans all extension headers for routing header type
0 and drops the packet if it finds one. RFC 5095 demands to handle
a routing
* Alexander Bluhm alexander.bl...@gmx.net [2013-11-14 01:29]:
Theo and others don't like that change as it decreases security.
There are hosts out there that still process RH0 and there are
OpenBSD routers with pf disabled.
This diff brings back the header chain scanning. As an improvement
I guess it would help people who decide to disable pf for slight
performance benefit ?
Quite obviously people are doing this on a variety of machines,
such as bgp routers.
* Alexander Bluhm alexander.bl...@gmx.net [2013-11-14 01:29]:
Theo and others don't like that change as it decreases security.
There are hosts out there that still process RH0 and there are
OpenBSD routers with pf disabled.
This diff brings back the header chain scanning. As an
* Theo de Raadt dera...@cvs.openbsd.org [2013-11-14 16:35]:
* Alexander Bluhm alexander.bl...@gmx.net [2013-11-14 01:29]:
Theo and others don't like that change as it decreases security.
There are hosts out there that still process RH0 and there are
OpenBSD routers with pf disabled.
it is the status quo *right now*
Look, you can't call something the status quo when a commit was made 1
month ago, to a REAL status quo that existed for 10 years when itojun
made the change... and immediately after this recent commit we
started arguying about the change.
Go find out what
* Theo de Raadt dera...@cvs.openbsd.org [2013-11-14 18:47]:
it is the status quo *right now*
Look, you can't call something the status quo when a commit was made 1
month ago, to a REAL status quo that existed for 10 years when itojun
made the change... and immediately after this recent
* Theo de Raadt dera...@cvs.openbsd.org [2013-11-14 18:47]:
it is the status quo *right now*
Look, you can't call something the status quo when a commit was made 1
month ago, to a REAL status quo that existed for 10 years when itojun
made the change... and immediately after this
On 14 November 2013 18:52, Henning Brauer lists-openbsdt...@bsws.de wrote:
* Theo de Raadt dera...@cvs.openbsd.org [2013-11-14 18:47]:
it is the status quo *right now*
Look, you can't call something the status quo when a commit was made 1
month ago, to a REAL status quo that existed for 10
Mike,
we have discussed that with bluhm in berlin and initially i had the same
opinion: leave the check in the stack, but he has convinced me that it's
rather pf's job to do it.
I agree. If pf is enabled, it can do the job and there is no need for
a second scan.
i'm not against bringing
On Thu, Nov 14, 2013 at 10:04 PM, Mike Belopuhov m...@belopuhov.com wrote:
On 14 November 2013 18:52, Henning Brauer lists-openbsdt...@bsws.de wrote:
* Theo de Raadt dera...@cvs.openbsd.org [2013-11-14 18:47]:
it is the status quo *right now*
Look, you can't call something the status quo
we have discussed that with bluhm in berlin and initially i had the same
opinion: leave the check in the stack, but he has convinced me that it's
rather pf's job to do it. i'm not against bringing it back and his diff
looks fine to me, esp. since it avoids double check that was there
* Theo de Raadt dera...@cvs.openbsd.org [2013-11-14 19:00]:
* Theo de Raadt dera...@cvs.openbsd.org [2013-11-14 18:47]:
it is the status quo *right now*
Look, you can't call something the status quo when a commit was made 1
month ago, to a REAL status quo that existed for 10 years when
On Thu, Nov 14, 2013 at 11:00:37AM -0700, Theo de Raadt wrote:
It was not shown to enough people. PERIOD.
My diff was on tech@ for one day during a hackathon before I commited it.
Not enough people discussed it back then. Fine. Let's discuss it now.
The reasons why I removed the check in the
My diff was on tech@ for one day during a hackathon before I commited it.
Not enough people discussed it back then. Fine. Let's discuss it now.
The reasons why I removed the check in the stack are:
- Scanning headers in the forwarding path is against the spirit of IPv6.
One day someone should
On Fri, Oct 18, 2013 at 08:45:02PM +0200, Alexander Bluhm wrote:
Our IPv6 stack scans all extension headers for routing header type
0 and drops the packet if it finds one. RFC 5095 demands to handle
a routing header type 0 like an unrecognised routing type. This
is enough to protect the own
Hi,
Our IPv6 stack scans all extension headers for routing header type
0 and drops the packet if it finds one. RFC 5095 demands to handle
a routing header type 0 like an unrecognised routing type. This
is enough to protect the own machine.
To protect a network as a firewall, we have pf which
20 matches
Mail list logo
