tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Global ingress filter for ip

On Fri, Mar 28, 2008 at 6:22 PM, Thor Lancelot Simon 
<> wrote:
>  What does this do that cannot be done by a standard packet filter (e.g.
>  ipf or pf) using the existing ip_input filter hook?
>  Thor

As far as I know, this can be done using ipf or pf, in an other way:
The ingress test use a lookup in the routing table, rules would use ip

However, the tunnel pseudo devices actualy use this test (with an
IFF_LINK). My goal was to make it more centric, generic, and
independant of any processing which could be done on the packet (this
is why the test occurs before NAT).

It's just a way to share code between tunnel pseudo devices. Also,
it's much more light and simpler.

For code sharing, the tunnel pseudo devices would call
enable_ipingress() when cloning interface, and it can check the
ingress status of the packet by looking at the flags in

int main(int c,char**v){int b,e=(c>>24)+6,g=c==1?1:e>>4;
*d){if((e&=15)>7)putchar((b>>(e-=8))&255); d++;main(((e|
32)<<24)|(b&4095),&d);}return g<2&&c>2?main(--c,v):1;}

Home | Main Index | Thread Index | Old Index