Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)

[Hal Murray]

> I gather it's been a while since you did anything with raw IP. What you want
> is sendto(2)/sendmsg(2).  It's dead easy with those.

Yes.  I think most of my work was with connected sockets.

I poked around a bit and haven't figured out how to use it, but it feels like 
it should work.  Other people have encountered this problem.  This is clearly 
the answer.  I just don't understand the details yet.

Do you a good example?  Google found one.  My best guess so far is that 
IP_PKTINFO is a socket option and there is an assumption in recvmsg/sendmsg 
that there are no other options that would use "control" info.


> I checked and we're not going to have BSD port issues.

I can't find either IP_PKTINFO or in_pktinfo in /usr/include/ on FreeBSD.  Is 
this going to be fatal?

OpenBSD has IN6P_PKTINFO and in6_pktinfo.  I don't see anything for IPv4.

Looks NetBSD is OK.

Again, that's just with grep.  I haven't verified that anything works.


-- 
These are my opinions.  I hate spam.