> it is the status quo *right now* Look, you can't call something the status quo when a commit was made 1 month ago, to a REAL status quo that existed for 10 years when itojun made the change... and immediately after this recent commit we started arguying about the change.
Go find out what "status quo" means. > > It *was* being filtered, until a month ago. > > no news here - we had discussed that change at the time. pretty sure > you were in the loop even. No, I was not in the loop before it was commited, and many others were not either. Apparently only you and mikeb were, and you did NOT push for more people to know about the change before it was commited. > I stand by my point either way. the stack check for forwarded packets > is either very incomplete or expensive. the aproach "stack protects the > local machine (in this case: don't obey RH0), pf handles forwarded > packets" matches what we do generally. And if pf is disabled, you have an astoundly disruptive attack on your hands. Then the itojun check helps, not for all cases, but for the most common form of the attack which is the most distruptive. On the other hand If pf is enabled, then the existing code is entirely free since it doesn't get run (I am talking about the new version of the bluhm change to bring the behaviour back ONLY if pf is disabled). The non-pf RH0 filtering case is worthwhile.