Global ingress filter for ip

To: tech-net%netbsd.org@localhost
Subject: Global ingress filter for ip
From: "Rodolphe De Saint Leger" <rdesaintleger%gmail.com@localhost>
Date: Fri, 28 Mar 2008 02:36:30 +0100

Hi,

I was wondering about adding a global ingress filter functionnality to NetBSD.
I've began to work on it and I wanted to have some advices.

The functionnality is aimed to be used by encap subsystems like gif
and stf. also a sysctl can trigger the filter globally.
Flags are added in the pkthdr struct to keep track of the ingress check.

Actually, I've just implemented the ip_input() side. Are things done
the right way ?
The benefits would be to have a single ingress check by packet
(actually, If a did a good check, the ingress filter is applied for
each configured tunnel). The implementation allows a subsystem to
force the filter for a given packet, and a subsystem can ask for the
packet's ingress status (by using
enable_ipingress()/disable_ipingress())

Here is my current code
http://shumira.roroland.net/20080328/ingress.diff

Regards,
-- 
int main(int c,char**v){int b,e=(c>>24)+6,g=c==1?1:e>>4;
char*d=c==1?"d3JpdGUgaW4gQw==":g==2?*v:v[c-1];b=c<<6|(*d
+(*d>96?-71:*d>58?-65:*d>47?4:*d>46?16:19));if(*d==61?0:
*d){if((e&=15)>7)putchar((b>>(e-=8))&255); d++;main(((e|
32)<<24)|(b&4095),&d);}return g<2&&c>2?main(--c,v):1;}

Follow-Ups:
- Re: Global ingress filter for ip
  - From: Thor Lancelot Simon

Prev by Date: wm0 Ierrs
Next by Date: Regarding summer of code 2008(writing device drivers)
Previous by Thread: wm0 Ierrs
Next by Thread: Re: Global ingress filter for ip
Indexes:

Home | Main Index | Thread Index | Old Index