Date: Sun, 30 Jul 2000 21:44:48 -0400 From: Ping Pan <pingpan@research.bell-labs.com> To: Kris Kennaway <kris@freebsd.org> Cc: Jeroen Ruigrok/Asmodai <asmodai@wxs.nl>, freebsd-net@freebsd.org Subject: Re: Fwd: A new kernel extension to deal with IP option packets Message-ID: <3984DA10.636ACA1A@research.bell-labs.com> References: <Pine.BSF.4.21.0007301817480.26452-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: > > On Sun, 30 Jul 2000, Jeroen Ruigrok/Asmodai wrote: > > > We have designed and developed a new socket protocol family to support > > IP option packets in BSD. It allows the users to intercept any IP option > > packet (source routing, router-alert...) from socket interface. So users > > can play fancy tricks with packets. > > Can't we do this already with ipfw and divert sockets? ipfw can already > match IP packets containing options. > Yes, except that to have a security system, we need to put the IP option filters to be the *last* ones to check. That could be somewhat tricky during the filter configuration. Also since filter lookup (for divert) is quite extensive on several packet fields, I am not sure using the divert mechanism would give the best performance results. Regards, - Ping > Kris > > -- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe <forsythe@alum.mit.edu> > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3984DA10.636ACA1A>