On 6-2-2012 10:52, Armin Wolfermann wrote: > * Camiel Dobbelaar <c...@sentia.nl> [05.02.2012 20:19]: >> I'm not sure that pftabled is still maintained though. > > It is. > >> I reported a big flaw to the author in 2010 and it was never fixed. > > Aborting on a failure condition is not a flaw.
Come on... it's a network daemon. It should be robust: able to handle wrong inputs and temporary failures. Right now, the daemon aborts when the table is not known: $ ./pftabled-client 127.0.0.1 56789 nonexist add 1.1.1.1 Server: $ sudo pftabled <after receiving packet from pftabled-client above> pftabled: ioctl: Invalid argument Or when I supply a wrong netmask (I modifed pftabled-client to allow it, the server should not trust clients to be well behaved): $ ./pftabled-client 127.0.0.1 56789 test add 1.1.1.1/33 There's probably more. pftabled should sanitize that stuff before feeding it into the kernel. AND be prepared to handle failure. > I told you in my reply > to your code review that pftabled is running on high-volume sites > doing several inserts per second without a single observation of > this condition. Sure, it may work great for you and a temporary failure may even be very hard to trigger. But why not just handle it instead of aborting? > However, your suggestion is on my list and will be > included in the next release. Ok good to hear it. -- Cam
