Re: Global ingress filter for ip

["Rodolphe De Saint Leger" <rdesaintleger%gmail.com@localhost>]

On Fri, Mar 28, 2008 at 6:22 PM, Thor Lancelot Simon 
<tls%rek.tjls.com@localhost> wrote:
>
>  What does this do that cannot be done by a standard packet filter (e.g.
>  ipf or pf) using the existing ip_input filter hook?
>

Hi,

Just to illustrate my previous mail, i've modified if_gif.c
I've replaced the ingress test with the one I've done. Also, I've
modified sysctl declaration and added ipv6 support.
Some more optimisation could be done as the ingress_check function for
ip and ip6 are similar.

I did the test on if_stf.c (but I need to clean the nat part, so I did
not include it). Actually, if_stf and if_gif are the only subsystems
which use ingress checking

the patch allows if_stf and if_gif to operate the same way (ingress
filtering with iff_link flag) and adds a global ingress filter in ip
and ipv6.

-- 
int main(int c,char**v){int b,e=(c>>24)+6,g=c==1?1:e>>4;
char*d=c==1?"d3JpdGUgaW4gQw==":g==2?*v:v[c-1];b=c<<6|(*d
+(*d>96?-71:*d>58?-65:*d>47?4:*d>46?16:19));if(*d==61?0:
*d){if((e&=15)>7)putchar((b>>(e-=8))&255); d++;main(((e|
32)<<24)|(b&4095),&d);}return g<2&&c>2?main(--c,v):1;}