* Alexander Bluhm <alexander.bl...@gmx.net> [2011-02-05 19:02]:
> On Sat, Feb 05, 2011 at 03:24:11PM +0100, Henning Brauer wrote:
> > I'm pretty damn sure we catch that way earlier.
>
> You are right.
>
> pf_test():
> case IPPROTO_ICMPV6: {
> action = PF_DROP;
> DPFPRINTF(LOG_NOTICE,
> "dropping IPv4 packet with ICMPv6 payload");
> goto done;
> }
>
> pf_test6():
> case IPPROTO_ICMP: {
> action = PF_DROP;
> DPFPRINTF(LOG_NOTICE,
> "dropping IPv6 packet with ICMPv4 payload");
> goto done;
> }
>
> But then some more checks in pf_test_rule() are dead code and should
> be removed. Either we rely on the checks in pf_test[46]() or we
> don't. But we should do it consistently.
indeed. and as much as i'm all for defensive programming, pf_test_rule
will never be called from anything but pf_test[6] - at least without
heavy heavy major super duper changes, besides there not being a reson
to. thus:
> ok?
yes.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
