tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Patch: accept filters for NetBSD



A coworker has ported the FreeBSD "accept filter" functionality to
NetBSD (approximately 4.99.40 -- I think the attached patch should
apply cleanly to HEAD today, however).  Accept filters are kernel
level filters, enabled with setsockopt(), which can perform arbitrary
operations on a TCP or local stream connection before accept() returns
to userspace or the listen socket selects ready for accept.  Think of
it as a much more sophisticated version of the socket watermark.

These have been in FreeBSD for a long time.  In FreeBSD they're often
dynamically loaded just before the setsockopt() but doing so at runtime
poses some obvious security issues.  We didn't adapt the kernel-module
code in this patch to the new NetBSD framework but will do so over time
if these are committed.  Rather, we've made each accept filter (we
supply two, "dataready" and "http") a pseudo-device to allow static
configuration in the kernel config file; in my opinion this is moderately
hokey but it works and is less objectionable than any of my other ideas.

Opinions?  The manual pages (accept_filter, accf_http, accf_dataready)
are not present in the patch but I will adjust them for NetBSD and
check them in with the rest of this if there are no objections.

-- 
Thor Lancelot Simon
Coyote Point Systems, Inc.                      <tls%coyotepoint.com@localhost>
Millerton, NY, USA



Home | Main Index | Thread Index | Old Index