On 1 Aug 2017, at 11:30, Kajetan Staszkiewicz wrote:
> Hey, group.
> A thought came to me: is it really the best thing to panic when errors are
> encountered within pf? I understand there are situations where it is safer for
> the kernel to not continue running like some low-level operations in memory
> allocator or filesystems. But a firewall? Especially that a firewall handles
> packets coming from the Interent which can be arbitrarily crafted.
pf does not use panic() to handle bad packets, but to handle **impossible** 
Basically, what you see here are assertions (go count KASSERT() too), not error 

If it were possible to trigger such a panic by sending a bad packet it would be 
a bug, yes, but that’s not what’s happening here. These panics document 
invariants. They are assertions.
Once the impossible has happened there’s no sane way for the system to 
continue. It would be irresponsible to even try.
Removing them would make pf **more** vulnerable to exploitation, not less.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to