* Alexandr Nedvedicky <[email protected]> [2015-05-21 21:29]: > > Well, not entirely (: I did it while exploring the code and sent > > out to provoke further discussion. Today I've talked to reyk@ and > > we think that it's better to go down a different road: make sure we > > don't create states on reply packets in the first place. > that's actually very wise approach as replies can be spoofed...
agreed. > > I've tested this with ICMP, ICMPv6 and NAT64 (slightly). Any OKs? > > Objections? > I have no objections, just a small wish, can you set icmp_dir to -1, > if we are not dealing with ICMP? there is a tool we use in Solaris, > which yells on us because of uninitialized variable. I know it's > false positive, but I've gave up on explaining... I don't see any harm done by this on our side, so yeah, why not. having a default case there is better style anyway. -- Henning Brauer, [email protected], [email protected] BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
