CFR: ipfw0 pseudo-interface clonable

Hiroki Sato hrs at FreeBSD.org
Thu Apr 26 23:44:49 UTC 2012 

"Alexander V. Chernikov" <melifaro at FreeBSD.org> wrote
  in <4F96E71B.9020405 at FreeBSD.org>:

me> On 24.04.2012 21:05, Hiroki Sato wrote:
me> > "Alexander V. Chernikov"<melifaro at FreeBSD.org>  wrote
me> >    in<4F96D11B.2060007 at FreeBSD.org>:
me> >
me> > me>  On 24.04.2012 19:26, Hiroki Sato wrote:
me> > me>  >  Hi,
me> > me>  >
me> > me>  >    I created the attached patch to make the current ipfw0
me> > me> > pseudo-interface clonable.  The functionality of ipfw0 logging
me> > me>  >    interface is not changed by this patch, but the ipfw0
me> > me> > pseudo-interface is not created by default and can be created
me> > with
me> > me>  >    the following command:
me> > me>  >
me> > me>  >     # ifconfig ipfw0 create
me> > me>  >
me> > me> > Any objection to commit this patch?  The primary motivation for
me> > this
me> > me> > change is that presence of the interface by default increases
me> > size of
me> > me> > the interface list, which is returned by NET_RT_IFLIST sysctl
me> > even
me> > me> > when the sysadmin does not need it.  Also this pseudo-interface
me> > can
me> > me> > confuse the sysadmin and/or network-related userland utilities
me> > like
me> > me>  >    SNMP agent.  With this patch, one can use ifconfig(8) to
me> > me>  >    create/destroy the pseudo-interface as necessary.
me> > me>
me> > me> ipfw_log() log_if usage is not protected, so it is possible to
me> > trigger
me> > me>  use-after-free.
me> >
me> >   Ah, right.  I will revise lock handling and resubmit the patch.
me> >
me> > me>  Maybe it is better to have some interface flag which makes
me> > me>  NET_RT_IFLIST skip given interface ?
me> >
me> >   I do not think so.  NET_RT_IFLIST should be able to list all of the
me> >   interfaces because it is the purpose.
me> Okay, another try (afair already discussed somewhere):
me> Do we really need all BPF providers to have ifnets?
me> It seems that removing all bp_bif depends from BPF code is not so hard
me> task.

 Hmm, I cannot imagine how to decouple ifnet from the bpf code because
 bpf heavily depends on it in its API (you probably know better than
 me).  Do you have any specific idea?

-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20120426/396f855f/attachment.pgp

More information about the freebsd-ipfw mailing list