ipfilter port to linux

[Darren Reed <avalon () caligula anu edu au>]

In some mail from Ian Latter, sie said:
> > If anyone is currently working on this I'd like to hear from them. 
>
> I thought the ANU guys had made an ipfilter port to linux at about

Heh.  That's a funny categorisation of people :)

> (linux) kernel 2.0 (it was an option against ipfwadm) .. but I have
> just done a quick search and I can't see any reference to that.

FWIW, I've recommended work on that and it is about 80% there, I think.
I was working with 2.4.18-20 or whatever comes with RedHat 9.0.  I've
not yet tried 2.6 but it should not be a lot of work since I've adapted
my code to use the netfilter interface.  So having done the ground work
of being (AFAIK :) the first outside of the core linux community to do
such a task, I'm sure others can now copy and follow...

If you're interested in progress, you can download current source from:
http://coombs.anu.edu.au/~avalon/ipf40beta5.tar.gz

The 20% that I'm not sure about involves ipfilter generating packets
and doing things like trying to determine if a packet has a spoofed
source address based on routing tables or generate packets itself -
the problem here is in trying to find the right Linux kernel API to use,
if at all possible.  While it might be open source and all, it's
preferable for users to not have to patch linux kernel source (building
a kernel module for Linux and having it "just work" is nowhere near
as easy as *ANY* other Un*x platform I target.)  Now if someone wanted
a *real* 2.7 feature to add to linux, it'd be supporting building a
kernel module without requiring /usr/src/linux to be present...but I
can hear the screams already telling me why that's such a bad idea :)

Darren

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html