From: Theo de Raadt <deraadt@cvs.openbsd.org>
Subject: Re: ip sysctl atomic
To: bluhm@openbsd.org, tech@openbsd.org
Date: Fri, 17 May 2024 13:35:44 -0600

>> e.g. when a function checks ip_forwarding and then calls a 2nd function
>> which also checks ip_forwarding then you can't ensure that both see the
>> same value. This can be a very nasty footgun.
>
>This is why I pass flags.  I think the other sysctl integers are
>independent.  But who knows, only net lock has no risk.  Everything
>else needs manual inspection of the packet path.

Kernel code must be able to deal with circumstances changing.  For example,
ip_forwarding.