Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)

Eric S. Raymond esr at thyrsus.com
Wed May 30 00:53:26 UTC 2018

Hal Murray <hmurray at megapathdsl.net>:
> Can we get the dest address on receive without a separate socket per IP 
> Address?  recvfrom() gives us the source address.  I don't see how to get the 
> dest address, but I haven't looked very hard.

Here's the hook:

      IP_PKTINFO (since Linux 2.2)
              Pass an IP_PKTINFO ancillary message that contains a pktinfo
              structure that supplies some information about the incoming
              packet.  This only works for datagram oriented sockets.  The
              argument is a flag that tells the socket whether the IP_PKT‐
              INFO message should be passed or not.  The message itself can
              only be sent/retrieved as control message with a packet using
              recvmsg(2) or sendmsg(2).

                  struct in_pktinfo {
                      unsigned int   ipi_ifindex;  /* Interface index */
                      struct in_addr ipi_spec_dst; /* Local address */
                      struct in_addr ipi_addr;     /* Header Destination
                                                      address */

This is all RFC3542 (Advanced Sockets API). Nominally it's standardized
only for IPV6 but every stack I've looked at implements it for IPV4 as
well -  I think this is one of those cases where getting that wrong would
be extra work.  I checked and we're not going to have BSD port issues.

> I'm not sure how to set the dest address on transmit.  At worst we need 
> another socket and do a bind() before sending each packet.  If bind is 
> expensive, we could keep a pre-bound socket per address, and garbage collect 
> the ones that don't get used, and ...

I gather it's been a while since you did anything with raw IP. What you
want is sendto(2)/sendmsg(2).  It's dead easy with those.
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.

More information about the devel mailing list