Re: Global ingress filter for ip

[Darren Reed <darrenr%netbsd.org@localhost>]

Rodolphe,

Ignoring code style issues...

This seems architecturally confused as you're moving checking that
is currently done by gif into IP but then you're only enabling it when
gif is used.  Then there appears to be some occasions when, to use
this feature right, you need to have some special bits in pkthdr that
are in their own field and not there today.

Maybe you should start with adding it to the decapsulation framework
(ip_encap.c) that supports stf/gif interfaces?

Right now, it doesn't look right at all..

Darren

Rodolphe De Saint Leger wrote:
> On Sat, Mar 29, 2008 at 4:24 PM, Rodolphe De Saint Leger
> <rdesaintleger%gmail.com@localhost> wrote:
> > On Fri, Mar 28, 2008 at 6:22 PM, Thor Lancelot Simon 
> <tls%rek.tjls.com@localhost> wrote:
> >  Hi,
> >
> >  Just to illustrate my previous mail, i've modified if_gif.c
> >  I've replaced the ingress test with the one I've done. Also, I've
> >  modified sysctl declaration and added ipv6 support.
> >  Some more optimisation could be done as the ingress_check function for
> >  ip and ip6 are similar.
> >
> >  I did the test on if_stf.c (but I need to clean the nat part, so I did
> >  not include it). Actually, if_stf and if_gif are the only subsystems
> >  which use ingress checking
> >
> >  the patch allows if_stf and if_gif to operate the same way (ingress
> >  filtering with iff_link flag) and adds a global ingress filter in ip
> >  and ipv6.
> >
>
> Sorry, I forgot the patch link...
>
> http://shumira.roroland.net/patch/20080329/ingress.diff
>
> Regards,
> Rodolphe
>