Re: Global ingress filter for ip

On Fri, Mar 28, 2008 at 6:22 PM, Thor Lancelot Simon 
wrote:
>  What does this do that cannot be done by a standard packet filter (e.g.
>  ipf or pf) using the existing ip_input filter hook?


Just to illustrate my previous mail, i've modified if_gif.c
I've replaced the ingress test with the one I've done. Also, I've
modified sysctl declaration and added ipv6 support.
Some more optimisation could be done as the ingress_check function for
ip and ip6 are similar.

I did the test on if_stf.c (but I need to clean the nat part, so I did
not include it). Actually, if_stf and if_gif are the only subsystems
which use ingress checking

the patch allows if_stf and if_gif to operate the same way (ingress
filtering with iff_link flag) and adds a global ingress filter in ip
and ipv6.

