Global ingress filter for ip


I was wondering about adding a global ingress filter functionnality to NetBSD.
I've began to work on it and I wanted to have some advices.

The functionnality is aimed to be used by encap subsystems like gif
and stf. also a sysctl can trigger the filter globally.
Flags are added in the pkthdr struct to keep track of the ingress check.

Actually, I've just implemented the ip_input() side. Are things done
the right way ?
The benefits would be to have a single ingress check by packet
(actually, If a did a good check, the ingress filter is applied for
each configured tunnel). The implementation allows a subsystem to
force the filter for a given packet, and a subsystem can ask for the
packet's ingress status (by using

Here is my current code

