Subject: Re: ip filtering
To: Steven Reiz <sreiz@aie.nl>
From: Robert Crowe <bob@speakez.com>
List: current-users
Date: 03/29/1994 10:23:17
In message <199403291555.RAA00453@aie8.aie.nl>, Steven Reiz writes:
>Hi All!
>
>Has anyone done work on adding ip filtering (based on src/destination
>ip address and tcp ports) to the NetBSD kernel?
>More specifically I'm looking at /usr/src/sys/netinet/ip_input.c,
>it looks as if the following code:
>        if (ipforwarding == 0) {
>                ipstat.ips_cantforward++;
>                m_freem(m);
>        } else
>                ip_forward(m, 0);
>
>could very simply be `enhanced' with code which checks ip addresses and
>such. I haven't really thought about how to modify the filtering table though
>(something like the route/netstat duo, probably).
>
>Any thoughts?
>
>	-Steven

There is a program called screend, which has been ported to bsdi.  I wouldn't
think it too difficult to port this code to NetBSD, but I haven't really 
looked at it much.   I seem to recall the model was as follows:

   screend daemon opens up some kernel device (not sure about this)
   screend performs ioctl to let kernel know to send all packet headers
         to screend (via the ioctl return)
   when ioctl returns, ip headers are examined and matched agains filter table
   if ip header is ok to forward, the next ioctl call is made, with a value
         that indicates the packet should be forwarded, and then the ioctl
         blocks until the next packet is recieved.
   else next ioctl tells kernel to discard packet (possible sending icmp junk)
   
This is a vastly simplified "readers digest" version of what happens,
and I may have it all wrong.  As you can see there is potential for some
latency, due to the use of a user process to implement the decision making
policy.  The nice thing is that because the decisions are done in userland,
they can get pretty complex without bloating the kernel, and you can customize
the daemon pretty easily.

Anyhow, there is a paper(s?) on gatekeeper.dec.com somewhere.  The original
code is also there ( I don't recall just where ).  It's possible that the
bsdi ports are on ftp.bsdi.com, but I'm not sure about that.

Hope this helps,
Bob.

-------------------------------------------------------------------------
Robert Crowe                                              bob@speakez.com
SpeakEasy Software,                                   (619) 576-4100 x101
8947-A Complex Drive                                San Diego, Ca.  92123
                           Fax:  (619) 576-4111


------------------------------------------------------------------------------