Subject: Re: placement of PFIL_HOOKS filtering points
To: None <firstname.lastname@example.org>
From: Darren Reed <email@example.com>
Date: 11/08/2000 00:28:25
In some email I received from Jason R Thorpe, sie wrote:
> Hi folks...
> I'm working on a project (a packet classification framework) that uses
> the PFIL_HOOKS mechanism. However, the placement of the PFIL_HOOKS
> filtering points is problematic.
> Specifically, the filtering point is located *after* the ip_len and
> ip_off fields are converted to host order in the ip_input() case, and
> *before* they are converted to network byte order in the ip_output()
> I would like to change this (I have changed this in my own source
> tree) ... compatibility can be maintained with a wrapper function
> for the only current user of the PFIL_HOOKS mechanism (IP Filter) (in
> fact, I am already using a wrapper function for IP Filter for another
> reason, which I will post about later).
> I'd like to get other people's opinion on this before I commit it
> to NetBSD-current.
> Note I haven't fixed the ip_output() case yet (which is simply a
> known bug with my project :-) -- that path is a little tricker, but
> before I put all that effort into it, I wanna get people's thoughts.
What about if a pfil hook is called from elsewhere (say ICMP), gets
the mbuf passed and tries to run a BPF filter over the IP + ICMP
header ? Or should that filter never look at the IP header ?
You haven't mentioned why you want them in network byte order, here,
but if you're using BPF for the filtering, I have to wonder whether
this is beneficial. The alternative of chaning BPF isn't attractive