Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)
Eric S. Raymond
esr at thyrsus.com
Wed May 30 00:53:26 UTC 2018
Hal Murray <hmurray at megapathdsl.net>:
> Can we get the dest address on receive without a separate socket per IP
> Address? recvfrom() gives us the source address. I don't see how to get the
> dest address, but I haven't looked very hard.
Here's the hook:
IP_PKTINFO (since Linux 2.2)
Pass an IP_PKTINFO ancillary message that contains a pktinfo
structure that supplies some information about the incoming
packet. This only works for datagram oriented sockets. The
argument is a flag that tells the socket whether the IP_PKT‐
INFO message should be passed or not. The message itself can
only be sent/retrieved as control message with a packet using
recvmsg(2) or sendmsg(2).
struct in_pktinfo {
unsigned int ipi_ifindex; /* Interface index */
struct in_addr ipi_spec_dst; /* Local address */
struct in_addr ipi_addr; /* Header Destination
address */
};
This is all RFC3542 (Advanced Sockets API). Nominally it's standardized
only for IPV6 but every stack I've looked at implements it for IPV4 as
well - I think this is one of those cases where getting that wrong would
be extra work. I checked and we're not going to have BSD port issues.
> I'm not sure how to set the dest address on transmit. At worst we need
> another socket and do a bind() before sending each packet. If bind is
> expensive, we could keep a pre-bound socket per address, and garbage collect
> the ones that don't get used, and ...
I gather it's been a while since you did anything with raw IP. What you
want is sendto(2)/sendmsg(2). It's dead easy with those.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
More information about the devel
mailing list