I am going to be doing some patches to Linux's networking system
to support interface filtering as a way to firewall. One question of
opinion I have for people with more implementation experience has to do
with decoding vs. the use of masks. I had planned to do something like
basically starting with a table for IP filtering that basically holds a
number of 40-byte records. Each would be a 20-byte mask, a 20-byte
value, and a comparison-inversion flag. The result of the filter would then
be the binary AND of the mask with the basic IP 20-byte header compared to
the value. For instance, if one wanted to drop IP packets with a protocol
of 42, they would invoke a user program that sent to the kernel a mask with
all of the fields but the protocol set to 0, the byte corresponding to the
protocol field set to 0xff, a mask with all zeros but the protocol
field set to 42, and a set inversion flag (to make all packets that satisfy
this rule *not* ok). Similar things would be done to TCP and UDP headers.
The other option would be to use a data structure and do an operation
like this on specific fields, individually. This would be much more
computationally expensive in most situations than the above method. My
question, then, would be to those who have implemented filtering. What kind of
a general method at the low levels did you use, and what do you think about/
for/against this method of filtering? It seems to me like it would be
*extremely* easy to implement, since most of the real work is done in a kernel-
interface program to set up the masks. The memory space is not a big concern
unless you have giant tables, but bit-masks may allow one to do fun things
there, too. If anyone has thoughts on this, please let me know.
-Craig
Follow-Ups:
|
|
