HIPL

hipfw changes settings in /proc without resetting on exit

Asked by René Hummen

1.) As evident from http://bazaar.launchpad.net/%7Ehipl-core/hipl/trunk/annotate/head%3A/firewall/firewall.c?start_revid=5448#L1447 hipfw unconditionally sets IP packet forwarding for IPv4 to enabled. This is behavior is fairly intrusive and may even not be required on end-hosts running hipfw.
In my opinion, the decision, whether to activate forwarding or not, should be left to the user of hipfw and should thus be removed from the code.

2.) As evident from http://bazaar.launchpad.net/%7Ehipl-core/hipl/trunk/annotate/head%3A/firewall/firewall.c?start_revid=5448#L718 netlink buffer capacity is increased but not reset to the previous values on exit. This needs to be fixed. Why do we need to increase the buffer at all?

Question information

Language:
English Edit question
Status:
Answered
For:
HIPL Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Miika Komu (miika-iki) said : 		#1

1) I believe that disabling IPv4 is ok as long as it's documented into manual (firewall section). I think this shouldn't (?) affect LSI, userspace or ESP relay processing because they don't really forward traffic but rather drop and reinject.

2) As far as I remember, netlink buffer size was increases due to performance reasons during heavy traffic. If you disable it completely, please measure e.g. the effect on userpace ipsec.

Can you help with this problem?

Provide an answer of your own, or ask René Hummen for more information if necessary.

To post a message you must log in.