Why admin's do not trust daemons to do their own packet filtering

Hal Murray hmurray at megapathdsl.net
Tue May 29 19:29:12 UTC 2018

> We could kill the interface command, and let the usual syntax error happen.
> Or we could raise a special syntax error, calling out the need to use the
> packet filter instead.  Then the question becomes, is it a warn-and-continue,
>  or a error-and-halt? 

Error and halt.  (or set a flag to halt after the rest of the parsing)

This is a security issue.  We don't want to let evil packets in.

These are my opinions.  I hate spam.

More information about the devel mailing list