Re: [Openvpn-devel] [PATCH] Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL

Sat, 23 Jan 2021 04:28:05 -0800 

Hi,

(while technically in the wrong mail thread for the "should PF stay?" 
discussion, this is still interesting)

On Fri, Jan 22, 2021 at 07:39:31AM +0000, tincanteksup wrote:
> I agree that a VPN should focus on its task and not try to be a firewall.
> 
> I do use the PF plugin but it is of little, if any, actual use, which is 
> not handled better elsewhere.

Which PF plugin do you use?  defer/simple?  Or something else, which is
not a Big Gaping Security Hole?

> I do not pretend to understand the intricacies of the code but if 
> removing the packet filter plugin is relatively simple and clean then, 
> from a user point-of-view, it makes more sense to drop it. Less 
> complication overall.

If you look into the code for places where you find ENABLE_PF or PLUGIN_PF,
you can see that it really touches a LOT of places - and every single line
of code increases the chance that it breaks on future changes, unless
someone invests the time to write test rigs that test all these code
paths (which gets increasingly complex with some features).  

Even testing all the "how is a packet forwarded or not?" paths might not
have caught *this* problem, as it is basically the "I have enabled PF but
the PF initialization failed" corner case which is often overlooked when
building tests for "I have enabled PF and want to make sure PF works!"
case...


So, yes, ripping this out would make the code much simpler in some 
critical paths.  OTOH pf can do nice things you can't easily do with
a linux firewall, like "accept packets from this *other* client only,
identified by common_name" (without having to know the actual IP
address and subnets assigned to it).  This is nice.  But if it is not
used, it's more "theoretically nice" and still can get kicked...

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to