On Tue, Dec 07, 1999 at 10:40:09PM +0100, bert hubert wrote: > The free unixes these days mostly come with packet filtering available by > default, these might be best off. One could imagine a 'libfilter' which > would easily allow daemons with the right permissions/capabilities to > instruct the kernel to not accept connections anymore from a certain host. Also as osserved by Pancrazio De Mauro there are not reasons to know the client IP only after accept(2) the connection. The SYN packet contains the IP address so it's possible to implement for example an accept2 that return just after SYN was received so we can obtain the IP address and then use accpet2_reset() to RST or accept2_ok() to follow the threeway handshake. Since this can be implemented using new syscall API compatibility is preserved, but this seems a lot better than modify on the fly firewalling rules. antirez
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:19:35 PDT