From: Theo de Raadt <deraadt@cvs.openbsd.org>
Subject: Re: ip sysctl atomic
To: alexander.bluhm@gmx.net, deraadt@cvs.openbsd.org
Cc: claudio@openbsd.org, mark.kettenis@xs4all.nl, tech@openbsd.org
Date: Fri, 17 May 2024 13:36:50 -0600

>On Fri, May 17, 2024 at 01:24:32PM -0600, Theo de Raadt wrote:
>> > e.g. when a function checks ip_forwarding and then calls a 2nd functio=
>n
>> > which also checks ip_forwarding then you can't ensure that both see th=
>e
>> > same value. This can be a very nasty footgun.
>>
>> Wait wait.  So you are talking about two seperate sysctl(2) invocations?
>>
>> That's not atomic.  There is no chance of it being atomic.  That is
>> not solveable.
>
>No, Claudio talks about the other interaction.  First half of packet
>processing is done with one integer value, then sysctl changes it,
>and final packet path reads the value again, but it is different.
>
>This my lead to inconsistent network behavior.

The kernel code must handle this.

Or we put the biglock back.

Come on.