> The goal would be to allow firewalling
> code to react differently to packets received on a trusted interface versus
> those on a hostile one, without resorting to specific device names.
Yes, the idea is good. It would solve ipchains scalability problem wrt number
of devices.
> The second question is that if I wanted to implement such a feature in a
> custom firewall driver (which I am considering doing), is there already a
> good location to store such information? The "flags" field of the
> in_device struct does not appear to be used anywhere. If this is true, are
> there any plans to use this field in the future? It might be a good place
> to store data like this. For example: INIF_F_TRUSTED, INIF_F_HOSTILE,
> INIF_F_RDONLY, INIF_F_WRONLY, etc.
Plans are unknown. Actually, this is a stale field, which was forgotten 8)
I'd add the tag to in_device sysctl list and would not not give
it a special semantics: just an integer number set by administrator
via sysctl and checked by firewall module according to its own rules.
Alexey
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/