| Re: [patch] pf PPTP nat passthrough patch. |
|
 |
|
 |
|
 |
|
 |
Group: mailing.openbsd.tech · Group Profile
Author: Stefan SperlingStefan Sperling Date: Mar 19, 2008 05:08
On Tue, Mar 18, 2008 at 04:26:51PM -0700, patrick keshishian wrote:
> The point you are making here is that pf is imperfect because it
> fails to accommodate NAT for multiple PPTP clients connecting to
> a single PPTP server;
Yes.
> PPTP arguably having a design flaw.
Yes.
> So you are saying it is OK to work into OpenBSD kernel provisions
> to handle a PPTP quirk that only manifests itself in a very
> specific (potentially extremely rare) use-cases, and by doing so
> inherit the pitfalls I mentioned in my previous email: maintenance,
> readability and potentially security?
If someone proposed a design that does everything outside the kernel
I would not object. I don't care much about performance of the
pptp NAT use case, I'd just like it to work.
Anyway, let's nail down what code your concerns are about:
The patch under review is adding three non-trivial functions to
the kernel, in terms of size, namely pf_match_translation_gre,
pf_get_translation_gre and pf_test_state_gre. The rest seems
to be glue code that calls these functions.
I trust henning and reyk in reviewing those functions, but would
not object helping with the review if necessary (not that I have
much experience in pf coding and code auditing, but I would not
object to making an effort if it helps getting the patch in).
--
stefan
http://stsp.name PGP Key: 0xF59D25F0
[demime 1.01d removed an attachment of type application/pgp-signature]
| 
