Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!decwrl!ucbvax!DECWRL.DEC.COM!mogul From: mogul@DECWRL.DEC.COM (Jeffrey Mogul) Newsgroups: comp.protocols.tcp-ip Subject: Re: Packet filtering for 4.3BSD ? Message-ID: <8811160151.AA09272@acetes.pa.dec.com> Date: 16 Nov 88 01:51:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 39 Someone (whose name is now lost to me) recently asked I have a TCP/IP gateway running 4.3BSD, and I've just been told that it has to be able to filter packets based on UDP and TCP port numbers, and possibly on source and destination IP addresses. Has anyone already modified 4.3BSD to do this sort of thing? If so, I'd like to see the code... bart@videovax.Tek.COM (Bart Massey) responded: One of the lesser known pieces of useful code I discovered recently is the BSD "packet filter" code which has been around since at least 4.2D, and is currently in /usr/src/new/enet in the 4.3 distribution. With fairly minimal changes (mainly to the ethernet driver for your machine) you should be able to get it to do everything you want and satisfy 1-3 above... Its chief use currently is for filtering off and generating V packets for UNIX V servers, but it's really much more general-purpose than that... Since I wrote much of the "packet filter" code in question, I felt I should respond. I'll agree that it's useful, but it would take more than "minimal changes" to connect it into the gateway function of a 4.xBSD kernel. I suppose one could modify the ethernet driver to dump (copies of) all the incoming IP packets into the packet filter, which would then pass them to a user-level process ... which would have to implement all the functions of an IP gateway, including routing, fragmentation, etc. Alternatively, one could perhaps modify the IP input code to run forwardable packets through the packet filter, which would also have to be modified somewhat to pass the packets on to the forwarding code in the kernel (instead of out to a user process). Either way, this seems like a lot of work, and I suspect that it would be almost as easy to build a much simpler and more suitable mechanism for this purpose. I'd also like to suggest that this is one more reason why people should not be using 4.xBSD systems as gateways; I believe that some of the commercially-available gateway products provide some filtering functions. -Jeff