2011/7/16 Christiano F. Haesbaert <haesba...@haesbaert.org>:
> H,m, I think it would, since bpf can catch the packet, another possible option
> would be IP_DIVERT to catch the packets and then send it with the raw socket,
> but would still be a little awkward (IMHO).

What's awkward about bpf/divert(4)? And how hard is to filter the
proper replies from the tunnel traffic? It's I think the cleanest
solution above all (and portable at least to freebsd, too).

These things would be great to be controlled per-rdomain or
per-interface, fwiw. Even ip_forwarding could, if it doesn't clash
with the RFCs. But I guess it would be hard to implement, since it's
highly AF-specific, struct domain has no place for it and there's no
tool doing similar things (would be like "route -T1 set -inet
reply_to_icmp 1" ?). And forwarding is used all over the code, which
makes changes like this bug-prone.
The "ndp -i em0 accept_rtadv", if it worked (already taking a look at
it) is on a similar principle, but having O(supported AFs) separate
utilities or O(interfaces) sysctls like in linux would be ugly;
similarly disabling echo replies everywhere looks like an overkill to
me, since you typically need tunnel fo just few places and not on all
interfaces at the same time.

-- 
Martin Pelikan

Reply via email to