On Fri, May 17, 2024 at 01:24:32PM -0600, Theo de Raadt wrote:
> > e.g. when a function checks ip_forwarding and then calls a 2nd function
> > which also checks ip_forwarding then you can't ensure that both see the
> > same value. This can be a very nasty footgun.
> 
> Wait wait.  So you are talking about two seperate sysctl(2) invocations?
> 
> That's not atomic.  There is no chance of it being atomic.  That is
> not solveable.

No, Claudio talks about the other interaction.  First half of packet
processing is done with one integer value, then sysctl changes it,
and final packet path reads the value again, but it is different.

This my lead to inconsistent network behavior.

bluhm