tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Adding packet filtering to tun interfaces

Maxime Villard <> writes:

>> When can it do that?
> It can do that in L4 when handling fragments. [...]

Ah, thanks for the explanation!  I've got a better overview, now.

>> I adapted the pfil_run_hooks() calls from those in if_vlan.c, so they'll
>> need fixing, too.
> Mmh yes, they will need fixing, I missed that.

I'll post a new proposal when I have all of this sorted out and tested.

> But now that I'm thinking about it... Are you sure that your change
> indeed enforces NPF policies? If you pass ifp->if_pfil normally it
> doesn't do IP filtering, unless I missed something else.

My change to if_tun.c does make NPF work as expected.  I've tested it
carefully, in both directions.  (NPF also works correctly for VLANs.)

Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index