2011/7/16 Christiano F. Haesbaert <haesba...@haesbaert.org>: > H,m, I think it would, since bpf can catch the packet, another possible option > would be IP_DIVERT to catch the packets and then send it with the raw socket, > but would still be a little awkward (IMHO).
What's awkward about bpf/divert(4)? And how hard is to filter the proper replies from the tunnel traffic? It's I think the cleanest solution above all (and portable at least to freebsd, too). These things would be great to be controlled per-rdomain or per-interface, fwiw. Even ip_forwarding could, if it doesn't clash with the RFCs. But I guess it would be hard to implement, since it's highly AF-specific, struct domain has no place for it and there's no tool doing similar things (would be like "route -T1 set -inet reply_to_icmp 1" ?). And forwarding is used all over the code, which makes changes like this bug-prone. The "ndp -i em0 accept_rtadv", if it worked (already taking a look at it) is on a similar principle, but having O(supported AFs) separate utilities or O(interfaces) sysctls like in linux would be ugly; similarly disabling echo replies everywhere looks like an overkill to me, since you typically need tunnel fo just few places and not on all interfaces at the same time. -- Martin Pelikan