> Hi All!
> 
> Has anyone done work on adding ip filtering (based on src/destination
> ip address and tcp ports) to the NetBSD kernel?
> More specifically I'm looking at /usr/src/sys/netinet/ip_input.c,
> it looks as if the following code:
>         if (ipforwarding == 0) {
>                 ipstat.ips_cantforward++;
>                 m_freem(m);
>         } else
>                 ip_forward(m, 0);
> 
> could very simply be `enhanced' with code which checks ip addresses and
> such. I haven't really thought about how to modify the filtering table though
> (something like the route/netstat duo, probably).
> 
> Any thoughts?
> 
> 	-Steven
> 
> P.S. The motivation for all of this is, of course, that a netbsd box
> could replace a $$$$ cisco or whatever ip router.

This sort of stuff becomes rather complex very quickly. I think you'd need to 
design some sort of little language that would express the types of filtering 
you were after and embed an interpreter for it. Actually, this would be a good 
excuse to work out a mechanism for doing it in user space - the packet filter 
code would probably come in handy here.

	Stephen


------------------------------------------------------------------------------