* [9front] [PITCH] ip/null
@ 2022-11-16 3:42 Jacob Moody
2023-12-11 18:54 ` unobe
0 siblings, 1 reply; 9+ messages in thread
From: Jacob Moody @ 2022-11-16 3:42 UTC (permalink / raw)
To: 9front
As I play around more with 9front as my router, I found myself reaching for some
kind of 'firewall'. I find that we already have a pretty good interface in the kernel
in the form of ipmux. But there isn't too many ways of making use of it as is. I hacked up
something quick to just drop packets matching a filter on to the floor. If others find it
useful I can make up a man page and present again with a bit more polish.
Some examples:
# Drop inbound private range
ip/null 'ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0'
# google verboden
ip/null 'ifc=my.internal.ip;dst=8.8.8.8;src=192.168.0.0&255.255.0.0'
thanks,
moody
--- /dev/null
+++ b//sys/src/cmd/ip/null.c
@@ -1,0 +1,36 @@
+#include <u.h>
+#include <libc.h>
+
+void
+usage(void)
+{
+ fprint(2, "usage: %s filter\n", argv0);
+ exits("usage");
+}
+
+void
+main(int argc, char **argv)
+{
+ char buf[64 * 1024];
+ int fd;
+
+ ARGBEGIN{
+ default:
+ usage();
+ break;
+ }ARGEND
+ if(argc < 1)
+ usage();
+
+ fd = dial(smprint("ipmux!%s", argv[0]), nil, nil, nil);
+ if(fd < 0)
+ sysfatal("dial: %r");
+
+ for(;;)
+ switch(read(fd, buf, sizeof buf)){
+ case -1:
+ sysfatal("read: %r");
+ case 0:
+ return;
+ }
+}
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] [PITCH] ip/null
2022-11-16 3:42 [9front] [PITCH] ip/null Jacob Moody
@ 2023-12-11 18:54 ` unobe
2023-12-11 19:00 ` Jacob Moody
0 siblings, 1 reply; 9+ messages in thread
From: unobe @ 2023-12-11 18:54 UTC (permalink / raw)
To: 9front
FWIW, I haven't seen anyone else comment on this, but I like it.
Quoth Jacob Moody <moody@mail.posixcafe.org>:
> As I play around more with 9front as my router, I found myself reaching for some
> kind of 'firewall'. I find that we already have a pretty good interface in the kernel
> in the form of ipmux. But there isn't too many ways of making use of it as is. I hacked up
> something quick to just drop packets matching a filter on to the floor. If others find it
> useful I can make up a man page and present again with a bit more polish.
>
> Some examples:
> # Drop inbound private range
> ip/null 'ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0'
>
> # google verboden
> ip/null 'ifc=my.internal.ip;dst=8.8.8.8;src=192.168.0.0&255.255.0.0'
>
> thanks,
> moody
>
> --- /dev/null
> +++ b//sys/src/cmd/ip/null.c
> @@ -1,0 +1,36 @@
> +#include <u.h>
> +#include <libc.h>
> +
> +void
> +usage(void)
> +{
> + fprint(2, "usage: %s filter\n", argv0);
> + exits("usage");
> +}
> +
> +void
> +main(int argc, char **argv)
> +{
> + char buf[64 * 1024];
> + int fd;
> +
> + ARGBEGIN{
> + default:
> + usage();
> + break;
> + }ARGEND
> + if(argc < 1)
> + usage();
> +
> + fd = dial(smprint("ipmux!%s", argv[0]), nil, nil, nil);
> + if(fd < 0)
> + sysfatal("dial: %r");
> +
> + for(;;)
> + switch(read(fd, buf, sizeof buf)){
> + case -1:
> + sysfatal("read: %r");
> + case 0:
> + return;
> + }
> +}
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] [PITCH] ip/null
2023-12-11 18:54 ` unobe
@ 2023-12-11 19:00 ` Jacob Moody
2023-12-11 19:05 ` hiro
2023-12-11 19:45 ` unobe
0 siblings, 2 replies; 9+ messages in thread
From: Jacob Moody @ 2023-12-11 19:00 UTC (permalink / raw)
To: 9front
This as obsoleted by cinap's aux/dial(1).
It functionally works the same here except you would
need an explicit direction to /dev/null.
ie.
aux/dial 'ipmux!ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0' > /dev/null
On 12/11/23 12:54, unobe@cpan.org wrote:
> FWIW, I haven't seen anyone else comment on this, but I like it.
>
> Quoth Jacob Moody <moody@mail.posixcafe.org>:
>> As I play around more with 9front as my router, I found myself reaching for some
>> kind of 'firewall'. I find that we already have a pretty good interface in the kernel
>> in the form of ipmux. But there isn't too many ways of making use of it as is. I hacked up
>> something quick to just drop packets matching a filter on to the floor. If others find it
>> useful I can make up a man page and present again with a bit more polish.
>>
>> Some examples:
>> # Drop inbound private range
>> ip/null 'ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0'
>>
>> # google verboden
>> ip/null 'ifc=my.internal.ip;dst=8.8.8.8;src=192.168.0.0&255.255.0.0'
>>
>> thanks,
>> moody
>>
>> --- /dev/null
>> +++ b//sys/src/cmd/ip/null.c
>> @@ -1,0 +1,36 @@
>> +#include <u.h>
>> +#include <libc.h>
>> +
>> +void
>> +usage(void)
>> +{
>> + fprint(2, "usage: %s filter\n", argv0);
>> + exits("usage");
>> +}
>> +
>> +void
>> +main(int argc, char **argv)
>> +{
>> + char buf[64 * 1024];
>> + int fd;
>> +
>> + ARGBEGIN{
>> + default:
>> + usage();
>> + break;
>> + }ARGEND
>> + if(argc < 1)
>> + usage();
>> +
>> + fd = dial(smprint("ipmux!%s", argv[0]), nil, nil, nil);
>> + if(fd < 0)
>> + sysfatal("dial: %r");
>> +
>> + for(;;)
>> + switch(read(fd, buf, sizeof buf)){
>> + case -1:
>> + sysfatal("read: %r");
>> + case 0:
>> + return;
>> + }
>> +}
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] [PITCH] ip/null
2023-12-11 19:00 ` Jacob Moody
@ 2023-12-11 19:05 ` hiro
2023-12-11 19:11 ` Jacob Moody
2023-12-11 19:45 ` unobe
1 sibling, 1 reply; 9+ messages in thread
From: hiro @ 2023-12-11 19:05 UTC (permalink / raw)
To: 9front
it would be good if it wouldn't need to get all the way to userland
before being dropped.
On 12/11/23, Jacob Moody <moody@posixcafe.org> wrote:
> This as obsoleted by cinap's aux/dial(1).
> It functionally works the same here except you would
> need an explicit direction to /dev/null.
>
> ie.
>
> aux/dial
> 'ipmux!ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0' >
> /dev/null
>
> On 12/11/23 12:54, unobe@cpan.org wrote:
>> FWIW, I haven't seen anyone else comment on this, but I like it.
>>
>> Quoth Jacob Moody <moody@mail.posixcafe.org>:
>>> As I play around more with 9front as my router, I found myself reaching
>>> for some
>>> kind of 'firewall'. I find that we already have a pretty good interface
>>> in the kernel
>>> in the form of ipmux. But there isn't too many ways of making use of it
>>> as is. I hacked up
>>> something quick to just drop packets matching a filter on to the floor.
>>> If others find it
>>> useful I can make up a man page and present again with a bit more
>>> polish.
>>>
>>> Some examples:
>>> # Drop inbound private range
>>> ip/null
>>> 'ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0'
>>>
>>> # google verboden
>>> ip/null 'ifc=my.internal.ip;dst=8.8.8.8;src=192.168.0.0&255.255.0.0'
>>>
>>> thanks,
>>> moody
>>>
>>> --- /dev/null
>>> +++ b//sys/src/cmd/ip/null.c
>>> @@ -1,0 +1,36 @@
>>> +#include <u.h>
>>> +#include <libc.h>
>>> +
>>> +void
>>> +usage(void)
>>> +{
>>> + fprint(2, "usage: %s filter\n", argv0);
>>> + exits("usage");
>>> +}
>>> +
>>> +void
>>> +main(int argc, char **argv)
>>> +{
>>> + char buf[64 * 1024];
>>> + int fd;
>>> +
>>> + ARGBEGIN{
>>> + default:
>>> + usage();
>>> + break;
>>> + }ARGEND
>>> + if(argc < 1)
>>> + usage();
>>> +
>>> + fd = dial(smprint("ipmux!%s", argv[0]), nil, nil, nil);
>>> + if(fd < 0)
>>> + sysfatal("dial: %r");
>>> +
>>> + for(;;)
>>> + switch(read(fd, buf, sizeof buf)){
>>> + case -1:
>>> + sysfatal("read: %r");
>>> + case 0:
>>> + return;
>>> + }
>>> +}
>>
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] [PITCH] ip/null
2023-12-11 19:05 ` hiro
@ 2023-12-11 19:11 ` Jacob Moody
2023-12-11 19:17 ` hiro
0 siblings, 1 reply; 9+ messages in thread
From: Jacob Moody @ 2023-12-11 19:11 UTC (permalink / raw)
To: 9front
Indeed, but right now ipmux is the only tool we have for doing any
filtering more fine grained then routing tables as far as I know.
I would like our own pf-like but that would require going back to
the drawing board.
On 12/11/23 13:05, hiro wrote:
> it would be good if it wouldn't need to get all the way to userland
> before being dropped.
>
> On 12/11/23, Jacob Moody <moody@posixcafe.org> wrote:
>> This as obsoleted by cinap's aux/dial(1).
>> It functionally works the same here except you would
>> need an explicit direction to /dev/null.
>>
>> ie.
>>
>> aux/dial
>> 'ipmux!ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0' >
>> /dev/null
>>
>> On 12/11/23 12:54, unobe@cpan.org wrote:
>>> FWIW, I haven't seen anyone else comment on this, but I like it.
>>>
>>> Quoth Jacob Moody <moody@mail.posixcafe.org>:
>>>> As I play around more with 9front as my router, I found myself reaching
>>>> for some
>>>> kind of 'firewall'. I find that we already have a pretty good interface
>>>> in the kernel
>>>> in the form of ipmux. But there isn't too many ways of making use of it
>>>> as is. I hacked up
>>>> something quick to just drop packets matching a filter on to the floor.
>>>> If others find it
>>>> useful I can make up a man page and present again with a bit more
>>>> polish.
>>>>
>>>> Some examples:
>>>> # Drop inbound private range
>>>> ip/null
>>>> 'ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0'
>>>>
>>>> # google verboden
>>>> ip/null 'ifc=my.internal.ip;dst=8.8.8.8;src=192.168.0.0&255.255.0.0'
>>>>
>>>> thanks,
>>>> moody
>>>>
>>>> --- /dev/null
>>>> +++ b//sys/src/cmd/ip/null.c
>>>> @@ -1,0 +1,36 @@
>>>> +#include <u.h>
>>>> +#include <libc.h>
>>>> +
>>>> +void
>>>> +usage(void)
>>>> +{
>>>> + fprint(2, "usage: %s filter\n", argv0);
>>>> + exits("usage");
>>>> +}
>>>> +
>>>> +void
>>>> +main(int argc, char **argv)
>>>> +{
>>>> + char buf[64 * 1024];
>>>> + int fd;
>>>> +
>>>> + ARGBEGIN{
>>>> + default:
>>>> + usage();
>>>> + break;
>>>> + }ARGEND
>>>> + if(argc < 1)
>>>> + usage();
>>>> +
>>>> + fd = dial(smprint("ipmux!%s", argv[0]), nil, nil, nil);
>>>> + if(fd < 0)
>>>> + sysfatal("dial: %r");
>>>> +
>>>> + for(;;)
>>>> + switch(read(fd, buf, sizeof buf)){
>>>> + case -1:
>>>> + sysfatal("read: %r");
>>>> + case 0:
>>>> + return;
>>>> + }
>>>> +}
>>>
>>
>>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] [PITCH] ip/null
2023-12-11 19:11 ` Jacob Moody
@ 2023-12-11 19:17 ` hiro
2023-12-11 19:22 ` Jacob Moody
0 siblings, 1 reply; 9+ messages in thread
From: hiro @ 2023-12-11 19:17 UTC (permalink / raw)
To: 9front
is your example more fine-grained than routing tables?
in that case i misread the example.
On 12/11/23, Jacob Moody <moody@posixcafe.org> wrote:
> Indeed, but right now ipmux is the only tool we have for doing any
> filtering more fine grained then routing tables as far as I know.
>
> I would like our own pf-like but that would require going back to
> the drawing board.
>
> On 12/11/23 13:05, hiro wrote:
>> it would be good if it wouldn't need to get all the way to userland
>> before being dropped.
>>
>> On 12/11/23, Jacob Moody <moody@posixcafe.org> wrote:
>>> This as obsoleted by cinap's aux/dial(1).
>>> It functionally works the same here except you would
>>> need an explicit direction to /dev/null.
>>>
>>> ie.
>>>
>>> aux/dial
>>> 'ipmux!ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0'
>>> >
>>> /dev/null
>>>
>>> On 12/11/23 12:54, unobe@cpan.org wrote:
>>>> FWIW, I haven't seen anyone else comment on this, but I like it.
>>>>
>>>> Quoth Jacob Moody <moody@mail.posixcafe.org>:
>>>>> As I play around more with 9front as my router, I found myself
>>>>> reaching
>>>>> for some
>>>>> kind of 'firewall'. I find that we already have a pretty good
>>>>> interface
>>>>> in the kernel
>>>>> in the form of ipmux. But there isn't too many ways of making use of
>>>>> it
>>>>> as is. I hacked up
>>>>> something quick to just drop packets matching a filter on to the
>>>>> floor.
>>>>> If others find it
>>>>> useful I can make up a man page and present again with a bit more
>>>>> polish.
>>>>>
>>>>> Some examples:
>>>>> # Drop inbound private range
>>>>> ip/null
>>>>> 'ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0'
>>>>>
>>>>> # google verboden
>>>>> ip/null 'ifc=my.internal.ip;dst=8.8.8.8;src=192.168.0.0&255.255.0.0'
>>>>>
>>>>> thanks,
>>>>> moody
>>>>>
>>>>> --- /dev/null
>>>>> +++ b//sys/src/cmd/ip/null.c
>>>>> @@ -1,0 +1,36 @@
>>>>> +#include <u.h>
>>>>> +#include <libc.h>
>>>>> +
>>>>> +void
>>>>> +usage(void)
>>>>> +{
>>>>> + fprint(2, "usage: %s filter\n", argv0);
>>>>> + exits("usage");
>>>>> +}
>>>>> +
>>>>> +void
>>>>> +main(int argc, char **argv)
>>>>> +{
>>>>> + char buf[64 * 1024];
>>>>> + int fd;
>>>>> +
>>>>> + ARGBEGIN{
>>>>> + default:
>>>>> + usage();
>>>>> + break;
>>>>> + }ARGEND
>>>>> + if(argc < 1)
>>>>> + usage();
>>>>> +
>>>>> + fd = dial(smprint("ipmux!%s", argv[0]), nil, nil, nil);
>>>>> + if(fd < 0)
>>>>> + sysfatal("dial: %r");
>>>>> +
>>>>> + for(;;)
>>>>> + switch(read(fd, buf, sizeof buf)){
>>>>> + case -1:
>>>>> + sysfatal("read: %r");
>>>>> + case 0:
>>>>> + return;
>>>>> + }
>>>>> +}
>>>>
>>>
>>>
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] [PITCH] ip/null
2023-12-11 19:17 ` hiro
@ 2023-12-11 19:22 ` Jacob Moody
2023-12-11 19:32 ` hiro
0 siblings, 1 reply; 9+ messages in thread
From: Jacob Moody @ 2023-12-11 19:22 UTC (permalink / raw)
To: 9front
On 12/11/23 13:17, hiro wrote:
> is your example more fine-grained than routing tables?
> in that case i misread the example.
My example was not, but ipmux allows you to index
arbitrarily in to the ip data portion to do matching.
>
> On 12/11/23, Jacob Moody <moody@posixcafe.org> wrote:
>> Indeed, but right now ipmux is the only tool we have for doing any
>> filtering more fine grained then routing tables as far as I know.
>>
>> I would like our own pf-like but that would require going back to
>> the drawing board.
>>
>> On 12/11/23 13:05, hiro wrote:
>>> it would be good if it wouldn't need to get all the way to userland
>>> before being dropped.
>>>
>>> On 12/11/23, Jacob Moody <moody@posixcafe.org> wrote:
>>>> This as obsoleted by cinap's aux/dial(1).
>>>> It functionally works the same here except you would
>>>> need an explicit direction to /dev/null.
>>>>
>>>> ie.
>>>>
>>>> aux/dial
>>>> 'ipmux!ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0'
>>>>>
>>>> /dev/null
>>>>
>>>> On 12/11/23 12:54, unobe@cpan.org wrote:
>>>>> FWIW, I haven't seen anyone else comment on this, but I like it.
>>>>>
>>>>> Quoth Jacob Moody <moody@mail.posixcafe.org>:
>>>>>> As I play around more with 9front as my router, I found myself
>>>>>> reaching
>>>>>> for some
>>>>>> kind of 'firewall'. I find that we already have a pretty good
>>>>>> interface
>>>>>> in the kernel
>>>>>> in the form of ipmux. But there isn't too many ways of making use of
>>>>>> it
>>>>>> as is. I hacked up
>>>>>> something quick to just drop packets matching a filter on to the
>>>>>> floor.
>>>>>> If others find it
>>>>>> useful I can make up a man page and present again with a bit more
>>>>>> polish.
>>>>>>
>>>>>> Some examples:
>>>>>> # Drop inbound private range
>>>>>> ip/null
>>>>>> 'ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0'
>>>>>>
>>>>>> # google verboden
>>>>>> ip/null 'ifc=my.internal.ip;dst=8.8.8.8;src=192.168.0.0&255.255.0.0'
>>>>>>
>>>>>> thanks,
>>>>>> moody
>>>>>>
>>>>>> --- /dev/null
>>>>>> +++ b//sys/src/cmd/ip/null.c
>>>>>> @@ -1,0 +1,36 @@
>>>>>> +#include <u.h>
>>>>>> +#include <libc.h>
>>>>>> +
>>>>>> +void
>>>>>> +usage(void)
>>>>>> +{
>>>>>> + fprint(2, "usage: %s filter\n", argv0);
>>>>>> + exits("usage");
>>>>>> +}
>>>>>> +
>>>>>> +void
>>>>>> +main(int argc, char **argv)
>>>>>> +{
>>>>>> + char buf[64 * 1024];
>>>>>> + int fd;
>>>>>> +
>>>>>> + ARGBEGIN{
>>>>>> + default:
>>>>>> + usage();
>>>>>> + break;
>>>>>> + }ARGEND
>>>>>> + if(argc < 1)
>>>>>> + usage();
>>>>>> +
>>>>>> + fd = dial(smprint("ipmux!%s", argv[0]), nil, nil, nil);
>>>>>> + if(fd < 0)
>>>>>> + sysfatal("dial: %r");
>>>>>> +
>>>>>> + for(;;)
>>>>>> + switch(read(fd, buf, sizeof buf)){
>>>>>> + case -1:
>>>>>> + sysfatal("read: %r");
>>>>>> + case 0:
>>>>>> + return;
>>>>>> + }
>>>>>> +}
>>>>>
>>>>
>>>>
>>
>>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] [PITCH] ip/null
2023-12-11 19:22 ` Jacob Moody
@ 2023-12-11 19:32 ` hiro
0 siblings, 0 replies; 9+ messages in thread
From: hiro @ 2023-12-11 19:32 UTC (permalink / raw)
To: 9front
in that case, the routing logic should allow routing to a null route
in the kernel, preferably. at least for the source/destination IP
based filters that's good enough.
port-based (L4) firewalls should become less necessary over time that
we just assign ip addresses to individual services instead.
that's my utopia at least ;)
On 12/11/23, Jacob Moody <moody@posixcafe.org> wrote:
> On 12/11/23 13:17, hiro wrote:
>> is your example more fine-grained than routing tables?
>> in that case i misread the example.
>
> My example was not, but ipmux allows you to index
> arbitrarily in to the ip data portion to do matching.
>
>>
>> On 12/11/23, Jacob Moody <moody@posixcafe.org> wrote:
>>> Indeed, but right now ipmux is the only tool we have for doing any
>>> filtering more fine grained then routing tables as far as I know.
>>>
>>> I would like our own pf-like but that would require going back to
>>> the drawing board.
>>>
>>> On 12/11/23 13:05, hiro wrote:
>>>> it would be good if it wouldn't need to get all the way to userland
>>>> before being dropped.
>>>>
>>>> On 12/11/23, Jacob Moody <moody@posixcafe.org> wrote:
>>>>> This as obsoleted by cinap's aux/dial(1).
>>>>> It functionally works the same here except you would
>>>>> need an explicit direction to /dev/null.
>>>>>
>>>>> ie.
>>>>>
>>>>> aux/dial
>>>>> 'ipmux!ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0'
>>>>>>
>>>>> /dev/null
>>>>>
>>>>> On 12/11/23 12:54, unobe@cpan.org wrote:
>>>>>> FWIW, I haven't seen anyone else comment on this, but I like it.
>>>>>>
>>>>>> Quoth Jacob Moody <moody@mail.posixcafe.org>:
>>>>>>> As I play around more with 9front as my router, I found myself
>>>>>>> reaching
>>>>>>> for some
>>>>>>> kind of 'firewall'. I find that we already have a pretty good
>>>>>>> interface
>>>>>>> in the kernel
>>>>>>> in the form of ipmux. But there isn't too many ways of making use of
>>>>>>> it
>>>>>>> as is. I hacked up
>>>>>>> something quick to just drop packets matching a filter on to the
>>>>>>> floor.
>>>>>>> If others find it
>>>>>>> useful I can make up a man page and present again with a bit more
>>>>>>> polish.
>>>>>>>
>>>>>>> Some examples:
>>>>>>> # Drop inbound private range
>>>>>>> ip/null
>>>>>>> 'ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0'
>>>>>>>
>>>>>>> # google verboden
>>>>>>> ip/null 'ifc=my.internal.ip;dst=8.8.8.8;src=192.168.0.0&255.255.0.0'
>>>>>>>
>>>>>>> thanks,
>>>>>>> moody
>>>>>>>
>>>>>>> --- /dev/null
>>>>>>> +++ b//sys/src/cmd/ip/null.c
>>>>>>> @@ -1,0 +1,36 @@
>>>>>>> +#include <u.h>
>>>>>>> +#include <libc.h>
>>>>>>> +
>>>>>>> +void
>>>>>>> +usage(void)
>>>>>>> +{
>>>>>>> + fprint(2, "usage: %s filter\n", argv0);
>>>>>>> + exits("usage");
>>>>>>> +}
>>>>>>> +
>>>>>>> +void
>>>>>>> +main(int argc, char **argv)
>>>>>>> +{
>>>>>>> + char buf[64 * 1024];
>>>>>>> + int fd;
>>>>>>> +
>>>>>>> + ARGBEGIN{
>>>>>>> + default:
>>>>>>> + usage();
>>>>>>> + break;
>>>>>>> + }ARGEND
>>>>>>> + if(argc < 1)
>>>>>>> + usage();
>>>>>>> +
>>>>>>> + fd = dial(smprint("ipmux!%s", argv[0]), nil, nil, nil);
>>>>>>> + if(fd < 0)
>>>>>>> + sysfatal("dial: %r");
>>>>>>> +
>>>>>>> + for(;;)
>>>>>>> + switch(read(fd, buf, sizeof buf)){
>>>>>>> + case -1:
>>>>>>> + sysfatal("read: %r");
>>>>>>> + case 0:
>>>>>>> + return;
>>>>>>> + }
>>>>>>> +}
>>>>>>
>>>>>
>>>>>
>>>
>>>
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] [PITCH] ip/null
2023-12-11 19:00 ` Jacob Moody
2023-12-11 19:05 ` hiro
@ 2023-12-11 19:45 ` unobe
1 sibling, 0 replies; 9+ messages in thread
From: unobe @ 2023-12-11 19:45 UTC (permalink / raw)
To: 9front
Splendid!
Quoth Jacob Moody <moody@posixcafe.org>:
> This as obsoleted by cinap's aux/dial(1).
> It functionally works the same here except you would
> need an explicit direction to /dev/null.
>
> ie.
>
> aux/dial 'ipmux!ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0' > /dev/null
>
> On 12/11/23 12:54, unobe@cpan.org wrote:
> > FWIW, I haven't seen anyone else comment on this, but I like it.
> >
> > Quoth Jacob Moody <moody@mail.posixcafe.org>:
> >> As I play around more with 9front as my router, I found myself reaching for some
> >> kind of 'firewall'. I find that we already have a pretty good interface in the kernel
> >> in the form of ipmux. But there isn't too many ways of making use of it as is. I hacked up
> >> something quick to just drop packets matching a filter on to the floor. If others find it
> >> useful I can make up a man page and present again with a bit more polish.
> >>
> >> Some examples:
> >> # Drop inbound private range
> >> ip/null 'ifc=my.external.ip;dst=192.168.0.0&255.255.0.0|10.0.0.0&255.0.0.0'
> >>
> >> # google verboden
> >> ip/null 'ifc=my.internal.ip;dst=8.8.8.8;src=192.168.0.0&255.255.0.0'
> >>
> >> thanks,
> >> moody
> >>
> >> --- /dev/null
> >> +++ b//sys/src/cmd/ip/null.c
> >> @@ -1,0 +1,36 @@
> >> +#include <u.h>
> >> +#include <libc.h>
> >> +
> >> +void
> >> +usage(void)
> >> +{
> >> + fprint(2, "usage: %s filter\n", argv0);
> >> + exits("usage");
> >> +}
> >> +
> >> +void
> >> +main(int argc, char **argv)
> >> +{
> >> + char buf[64 * 1024];
> >> + int fd;
> >> +
> >> + ARGBEGIN{
> >> + default:
> >> + usage();
> >> + break;
> >> + }ARGEND
> >> + if(argc < 1)
> >> + usage();
> >> +
> >> + fd = dial(smprint("ipmux!%s", argv[0]), nil, nil, nil);
> >> + if(fd < 0)
> >> + sysfatal("dial: %r");
> >> +
> >> + for(;;)
> >> + switch(read(fd, buf, sizeof buf)){
> >> + case -1:
> >> + sysfatal("read: %r");
> >> + case 0:
> >> + return;
> >> + }
> >> +}
> >
>
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2023-12-11 19:49 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-16 3:42 [9front] [PITCH] ip/null Jacob Moody
2023-12-11 18:54 ` unobe
2023-12-11 19:00 ` Jacob Moody
2023-12-11 19:05 ` hiro
2023-12-11 19:11 ` Jacob Moody
2023-12-11 19:17 ` hiro
2023-12-11 19:22 ` Jacob Moody
2023-12-11 19:32 ` hiro
2023-12-11 19:45 ` unobe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).