* Alexandr Nedvedicky <alexandr.nedvedi...@oracle.com> [2015-05-21 21:29]: > > Well, not entirely (: I did it while exploring the code and sent > > out to provoke further discussion. Today I've talked to reyk@ and > > we think that it's better to go down a different road: make sure we > > don't create states on reply packets in the first place. > that's actually very wise approach as replies can be spoofed...
agreed. > > I've tested this with ICMP, ICMPv6 and NAT64 (slightly). Any OKs? > > Objections? > I have no objections, just a small wish, can you set icmp_dir to -1, > if we are not dealing with ICMP? there is a tool we use in Solaris, > which yells on us because of uninitialized variable. I know it's > false positive, but I've gave up on explaining... I don't see any harm done by this on our side, so yeah, why not. having a default case there is better style anyway. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/