Re: How do I keep an inet6 address from being added to an interface?

[Steven Bellovin <smb%cs.columbia.edu@localhost>]

On May 6, 2010, at 10:26 20AM, der Mouse wrote:

>> I've often wanted such a feature: a way to ensure that NetBSD's
>> kernel neither sends or acts on *any* packet received on certain
>> interfaces.
> 
> I added a handful of interface flags to 1.4T, and one of them was
> BPFONLY; when set, packet reception short-circuits everything after
> bpf.  Not quite what you want, because it affects input only.

Right, but certainly a good step.  (Way back when, in the days of thick coax 
and 15-pin drop cables to transceiver bricks, I *really* wanted to be sure that 
a machine would *never* transmit.  After staring at the kernel for a while, I 
decided to clip the transmit leads -- nothing else looked high-enough 
assurance.)
> 
> The most difficult part was finding (and fixing) everything that
> treated interface flags as a 16-bit bitmask; I can't believe it would
> be all that hard to add to -current.
> 
> /~\ The ASCII                           Mouse
> \ / Ribbon Campaign
> X  Against HTML               mouse%rodents-montreal.org@localhost
> / \ Email!         7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
> 


                --Steve Bellovin, http://www.cs.columbia.edu/~smb