Hi guys,
On Thu, Jan 02, 2014 at 04:56:14PM +0100, Lukas Tribus wrote:
> > acl bad_guys tos-acl 0x20
> > block if bad_guys
>
> Ah ok, you want to match incoming TOS.
>
> That is indeed not supported currently.
>
>
> Also, not all *nixes provide an API for this. Linux has
> IP_RECVTOS/IPV6_RECVTCLASS to do it, but BSD hasn't, also see:
> http://stackoverflow.com/questions/1029849/what-is-the-bsd-or-portable-way-to-get-tos-byte-like-ip-recvtos-from-linux
>
>
> Not sure what effort it would be to implement this.
I just checked and it's really not worth it for several reasons :
- there can be as many TOS values as there are packets. On load balanced
links, it's very likely that half packets may arrive with one TOS and
half with another one (and maybe a third one for the SYN).
- I found no way to *query* the last known TOS seen on a received packet
for an existing socket without transfering data ;
- it requires that we change *all* recv() calls for the slower recvmsg()
and always enable the option to retrieve this TOS in responses ; and
we'd need to store these values somewhere in the connection just for
the hypothetical case it would be used by some ACLs.
We could still check if it's possible to use recvmsg(MSGPEEK) out of the
data stream, but I doubt it since we should get a standard EAGAIN response
because there are no more data pending.
Also, I would not rely much on TOS marking for security purposes, considering
that anyone along the path may modify it, I'd fear a lot of false positives...
Regards,
Willy
