pdb@sei.cmu.edu (Patrick Barron) (11/08/88)
I have a TCP/IP gateway running 4.3BSD, and I've just been told that it has to be able to filter packets based on UDP and TCP port numbers, and possibly on source and destination IP addresses. Has anyone already modified 4.3BSD to do this sort of thing? If so, I'd like to see the code... Thanks, --Pat Barron CMU Software Engineering Institute Systems and Network Engineering
vixie@decwrl.dec.com (Paul Vixie) (11/10/88)
# I have a TCP/IP gateway running 4.3BSD, and I've just been told that it # has to be able to filter packets based on UDP and TCP port numbers, and # possibly on source and destination IP addresses. Has anyone already modified # 4.3BSD to do this sort of thing? If so, I'd like to see the code... In principle, this is not that hard to do. Issues are: 1. speed -- every packet is going to go through the filter, it has to be an FSM or some other very efficient mechanism; 2. managability -- the language you speak to the filter in (telling it what's allowed and what's not) has to be readable. Something built along the lines of sendmail.cf would be easiest to implement but would be (another) crime against reality. 3. minimal change -- the hook in the kernel has to be very narrow, since you will want to be able to pop the filter into future versions of TCP (CSRG promises many changes in the next release of their code, and streams-based TCP implementations are going to get more popular). Portability is also a concern, for the same reasons. Like I said, in principle it's not that hard. But if anyone actually implements something and/or publishes a paper on it, I'd sure like to hear about it. SMOP and all that. -- Paul Vixie Work: vixie@decwrl.dec.com decwrl!vixie +1 415 853 6600 Play: paul@vixie.sf.ca.us vixie!paul +1 415 864 7013
bart@videovax.Tek.COM (Bart Massey) (11/11/88)
In article <45@gnome6.pa.dec.com> vixie@decwrl.dec.com (Paul Vixie) writes: > # I have a TCP/IP gateway running 4.3BSD, and I've just been told that it > # has to be able to filter packets based on UDP and TCP port numbers, and > # possibly on source and destination IP addresses. Has anyone already modified > # 4.3BSD to do this sort of thing? If so, I'd like to see the code... > > In principle, this is not that hard to do. Issues are: > 1. speed > 2. managability > 3. minimal change > Like I said, in principle it's not that hard. But if anyone actually > implements something and/or publishes a paper on it, I'd sure like to > hear about it. SMOP and all that. One of the lesser known pieces of useful code I discovered recently is the BSD "packet filter" code which has been around since at least 4.2D, and is currently in /usr/src/new/enet in the 4.3 distribution. With fairly minimal changes (mainly to the ethernet driver for your machine) you should be able to get it to do everything you want and satisfy 1-3 above... Its chief use currently is for filtering off and generating V packets for UNIX V servers, but it's really much more general-purpose than that... Bart Massey Tektronix, Inc. TV Systems Engineering M.S. 58-639 P.O. Box 500 Beaverton, OR 97077 (503) 627-5320 UUCP: ..tektronix!videovax!bart DOMAIN: bart@videovax.tek.com
mogul@DECWRL.DEC.COM (Jeffrey Mogul) (11/16/88)
Someone (whose name is now lost to me) recently asked I have a TCP/IP gateway running 4.3BSD, and I've just been told that it has to be able to filter packets based on UDP and TCP port numbers, and possibly on source and destination IP addresses. Has anyone already modified 4.3BSD to do this sort of thing? If so, I'd like to see the code... bart@videovax.Tek.COM (Bart Massey) responded: One of the lesser known pieces of useful code I discovered recently is the BSD "packet filter" code which has been around since at least 4.2D, and is currently in /usr/src/new/enet in the 4.3 distribution. With fairly minimal changes (mainly to the ethernet driver for your machine) you should be able to get it to do everything you want and satisfy 1-3 above... Its chief use currently is for filtering off and generating V packets for UNIX V servers, but it's really much more general-purpose than that... Since I wrote much of the "packet filter" code in question, I felt I should respond. I'll agree that it's useful, but it would take more than "minimal changes" to connect it into the gateway function of a 4.xBSD kernel. I suppose one could modify the ethernet driver to dump (copies of) all the incoming IP packets into the packet filter, which would then pass them to a user-level process ... which would have to implement all the functions of an IP gateway, including routing, fragmentation, etc. Alternatively, one could perhaps modify the IP input code to run forwardable packets through the packet filter, which would also have to be modified somewhat to pass the packets on to the forwarding code in the kernel (instead of out to a user process). Either way, this seems like a lot of work, and I suspect that it would be almost as easy to build a much simpler and more suitable mechanism for this purpose. I'd also like to suggest that this is one more reason why people should not be using 4.xBSD systems as gateways; I believe that some of the commercially-available gateway products provide some filtering functions. -Jeff
CERF@A.ISI.EDU (11/18/88)
Pat Barron, by whom have you been told to support filtering of packets baseed on UDP and TCP port numbers and source/dest IP addrs? Thanks, Vint