>> > We do not have any flag, which blocks forwarding of packets
>> > received on some interface. This is duty of firewall.
>>
>> I think the problem is that "being a router" or "being a host" should be
>> per-interface, which means the global devconf6 forwarding flag should go
>> away.
>
>Let me to repeat: we do not have any flag which blocks forwarding
>per interface. :-) Killing global flag would mean that we do not have
>any way to disable forwarding at all.
I know, I'm saying that's the problem. :-) I'm saying a more useful
and intuitive way to interpret the per-interface "forwarding" flag is as
a "willing to forward received packets from this interface" flag. Then,
that
would be the *only* flag you check when receiving something not for a local
address. If you want more complicated set-ups, then you use a firewall.
That
flag should also determine whether you behave as a router on that link with
all other things, including isRouter flag, etc. I can do a patch prototype,
if you want to see what I mean in detail. :-)
>So, as soon as you forward at least on one interface, global
>flag must be ON. And packet filtering must be made with firewall.
Yes, I think that should be changed. I think being a router or a host
should
be per-interface on input. Once you have a packet, output is the same
whether
you generated it or someone else did (no global flag, no "output
forwarding" flag).
If you want more specialized behaviour, then you use a firewall.
>> join
>> the all-routers multicast group, etc. etc.
>
>WHAT? Kernel does not use this multicast group, hence it has
>no reasons to join it.
I know it doesn't, it's supposed to. That's what the patch I submitted
that
started this discussion fixes. Just like the "all-nodes" group, all routers
should
join the all-routers group. The problem (or, one problem) with having
individual
applications join it is they all have to check repeatedly the state of
"forwarding"
(because hosts are not supposed to be in that group, routers are). If a
router becomes
a host or vice versa after boot, the all-routers group membership should
change.
It also makes it easier for applications. They can just bind to
INADDR_ANY and
receive things sent to any valid address, including the all-routers group,
but leave
the management of that (again, must be based on forwarding state) to the
kernel.
> If some module will start to use this group, it will join it.
There are things that use it that should be in the kernel. They just aren't
implemented yet (in the kernel, anyway). But even "ping ff02::2" should
work with
conforming implementations. It's trivial, but still a handy way to find the
routers.
The point is: any application that can receive multicast packets should
receive all
routers group packets when forwarding is on and not when forwarding is off.
They won't
with the current code, and doing it right without the kernel joining the
group
would require the applications to check the state of the in-kernel
forwarding.
+-DLS
|