[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: recent pf_route loop detection commit



On Tue, May 11, 2004 at 03:24:28PM +0300, Alexey E. Suslikov wrote:
> > change pf_route() loop detection: introduce a counter (number of times
> > a packet is routed already) in the mbuf tag, allow at most four times.
> > Fixes some legitimate cases broken by the previous change. ok [email protected]
> 
> will this work together with VLAN encapsulation? how
> in/decapsulation engine deals with mbuf?
I don't know, to my knowledge, noone has tested it with vlan yet. Try :)
If the mbuf tags are preserved through vlan en/decapsulation, the
counter inside the mbuf tag will be incremented on route-to, and the
packet dropped when it exceeds four (whereas it would be dropped on the
second iteration before that commit). If the tags are not preserved, the
mbuf will get a new tag (with counter starting at zero) on route-to.
This might allow an endless loop, but that would have been possible
before the most recent commit as well.
So the number of ways to get an endless loop has not increased, you just
get more iterations before a loop is assumed, fixing legitimate cases
with a second or third iteration that were broken after the
second-to-last commit.
To find out whether tags are preserved, I suggest just trying it. I
personally don't use vlan, so I'll not test this. If you want to change
that, donate vlan-capable equipment so I can play with it :)
Daniel