On 3 September 2016 at 18:03, Alexandr Nedvedicky
wrote:
> Hello,
>
> there was still one more glitch catched by mikeb:
>
> I have to sanitize pointer when copying rule to userland.
>
> The other thing pointed out by mike is the Expired time should
> be printed
Hello,
there was still one more glitch catched by mikeb:
I have to sanitize pointer when copying rule to userland.
The other thing pointed out by mike is the Expired time should
be printed for expired rules only in debug mode output (pfctl -sr -g)
Incremental patch is as follows:
Hello,
> >updated version is below.
> >
> >comments? O.K.?
>
> One comment, otherwise ok.
>
> Could you assert the lock is held otherwise, this might save
> effort if/when this code is refactored:
>
> else
> rw_assert_wrlock(_consistency_lock);
sure.
also mikeb came to
On 08/30/16 02:32, Alexandr Nedvedicky wrote:
Hello,
mikeb has just pointed out the patch fell under the desk asking me to resend
it.
henning@ and mikeb@ showed some interest to change handling of once rules to
the same way as PF has it on Solaris. Just to refresh the audience on once
option
Hello,
On Tue, Aug 30, 2016 at 10:53:56AM +1000, David Gwynne wrote:
>
> > On 17 Dec 2015, at 13:30, Richard Procter
> > wrote:
> >
> >
> > Hi Sasha,
> >
> > On Fri, 18 Dec 2015, Alexandr Nedvedicky wrote:
> >
> >>> Right. I'll just note though that the patch
> On 17 Dec 2015, at 13:30, Richard Procter wrote:
>
>
> Hi Sasha,
>
> On Fri, 18 Dec 2015, Alexandr Nedvedicky wrote:
>
>>> Right. I'll just note though that the patch as it stands allows
>>> multiple winners [...] Whether that's a realistic issue, I don't
Hello,
mikeb has just pointed out the patch fell under the desk asking me to resend
it.
> henning@ and mikeb@ showed some interest to change handling of once rules to
> the same way as PF has it on Solaris. Just to refresh the audience on once
> option offered by PF:
>
> onceCreates a
Hello Richard,
> > What has to be granted is there is one 'winner' only, which puts the
> > rule to garbage collector list. The pragmatic approach wins here.
>
> Right. I'll just note though that the patch as it stands allows multiple
> winners: consider the window between testing
Hi Sasha,
On Fri, 18 Dec 2015, Alexandr Nedvedicky wrote:
> > Right. I'll just note though that the patch as it stands allows
> > multiple winners [...] Whether that's a realistic issue, I don't know.
> > I have though been bitten by enough edge cases like this to be very
> > wary of them.
On 16/12/15(Wed) 10:19, Alexandr Nedvedicky wrote:
> On Wed, Dec 16, 2015 at 02:48:49PM +1300, Richard Procter wrote:
> >
> > On Tue, 15 Dec 2015, Mike Belopuhov wrote:
> >
> > > >Yet another possibility is to drop 'once' rules as too complex to
> > > >implement for multiprocessor but I
On Wed, Dec 16, 2015 at 02:31 +0100, Alexandr Nedvedicky wrote:
> Hello,
>
> > It just occurred to me that another possibility would be a match-only
> > rule that matches one but doesn't involve any purging machinery. Right
> > now we install ftp-proxy rules as having maximum number of states
hello,
> > > It just occurred to me that another possibility would be a match-only
> > > rule that matches one but doesn't involve any purging machinery. Right
> > > now we install ftp-proxy rules as having maximum number of states equal
> > > to 1, however there's a time window between the
Hello,
On Wed, Dec 16, 2015 at 02:48:49PM +1300, Richard Procter wrote:
>
> On Tue, 15 Dec 2015, Mike Belopuhov wrote:
>
> > >Yet another possibility is to drop 'once' rules as too complex to
> > >implement for multiprocessor but I have no idea if this is viable.
> >
> > It is. And I
On 15 December 2015 at 15:36, Alexandr Nedvedicky
wrote:
> Hello,
>
>> >
>> >Another possibility would be to require 'once' rules to be 'quick'.
>> >This closes the candidacy window and makes its serialisation, to
>> >preclude multiple matches, more
Hello,
> It just occurred to me that another possibility would be a match-only
> rule that matches one but doesn't involve any purging machinery. Right
> now we install ftp-proxy rules as having maximum number of states equal
> to 1, however there's a time window between the moment the state is
On Tue, 15 Dec 2015, Mike Belopuhov wrote:
> >Yet another possibility is to drop 'once' rules as too complex to
> >implement for multiprocessor but I have no idea if this is viable.
>
> It is. And I have said that before with an authority of the implementor
> of "once" rules: since we
On 13 December 2015 at 18:56, Richard Procter
wrote:
>
> If I understand this patch:
>
> Rule removal requires the consistency lock but to acquire it one must be
> able to sleep. pf_test_rule() cannot sleep as it executes in a (soft)
> interrupt handler, so it passes
Hello,
> >
> >Another possibility would be to require 'once' rules to be 'quick'.
> >This closes the candidacy window and makes its serialisation, to
> >preclude multiple matches, more feasible.
> >
> >Yet another possibility is to drop 'once' rules as too complex to
> >
If I understand this patch:
Rule removal requires the consistency lock but to acquire it one must be
able to sleep. pf_test_rule() cannot sleep as it executes in a (soft)
interrupt handler, so it passes the expired rule to a thread which can.
However, the code to remove a 'once' rule may wish
Hello,
henning@ and mikeb@ showed some interest to change handling of once rules to
the same way as PF has it on Solaris. Just to refresh the audience on once
option offered by PF:
onceCreates a one shot rule that will remove itself from an active
ruleset after the first
20 matches
Mail list logo