>On Fri, May 17, 2024 at 01:24:32PM -0600, Theo de Raadt wrote:
>> > e.g. when a function checks ip_forwarding and then calls a 2nd functio=
>n
>> > which also checks ip_forwarding then you can't ensure that both see th=
>e
>> > same value. This can be a very nasty footgun.
>>
>> Wait wait.  So you are talking about two seperate sysctl(2) invocations?
>>
>> That's not atomic.  There is no chance of it being atomic.  That is
>> not solveable.
>
>No, Claudio talks about the other interaction.  First half of packet
>processing is done with one integer value, then sysctl changes it,
>and final packet path reads the value again, but it is different.
>
>This my lead to inconsistent network behavior.

The kernel code must handle this.

Or we put the biglock back.

Come on.