[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lwip-devel] IP data packets are forwarded although it should never
Re: [lwip-devel] IP data packets are forwarded although it should never work in theory, but why?
Tue, 06 Oct 2020 16:12:15 +0200
On 2020-10-06 15:37, Benjamin Kalytta wrote:
thank you for your fast response. I was not aware of that. I would
need at least an option for a hard separation (DMZ) for specific
interfaces. What do you think is the best point to implement that? In
ip_input or ip_input_accept? Do you have implemented it and how did
you implement it?
Problem is that it is a bit scattered around if you do it correctly,
including all corner cases like peers behind gateways. TCP incoming
connections need to be automatically bound to the interface where
they came from. lwIP's SNMP code also needs changes to handle this
correctly. For unbound UDP sockets we changed the code so it honours
the pbuf's if_idx. We avoid ever calling ip_route().
Applications also have to bind all sockets to specific interfaces
for client sockets to pick the correct interface in case the peer
is behind a gateway.
We needed hard separation between all interfaces, so we didn't
make it a per-interface option.
An alternative solution would extend ip_route() with interface
information and enough hooks here and there to reach our goal
outside of lwIP, but that is a much bigger change.