Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)
hmurray at megapathdsl.net
Wed May 30 05:18:58 UTC 2018
> I gather it's been a while since you did anything with raw IP. What you want
> is sendto(2)/sendmsg(2). It's dead easy with those.
Yes. I think most of my work was with connected sockets.
I poked around a bit and haven't figured out how to use it, but it feels like
it should work. Other people have encountered this problem. This is clearly
the answer. I just don't understand the details yet.
Do you a good example? Google found one. My best guess so far is that
IP_PKTINFO is a socket option and there is an assumption in recvmsg/sendmsg
that there are no other options that would use "control" info.
> I checked and we're not going to have BSD port issues.
I can't find either IP_PKTINFO or in_pktinfo in /usr/include/ on FreeBSD. Is
this going to be fatal?
OpenBSD has IN6P_PKTINFO and in6_pktinfo. I don't see anything for IPv4.
Looks NetBSD is OK.
Again, that's just with grep. I haven't verified that anything works.
These are my opinions. I hate spam.
More information about the devel