Re: Problem with return-rst and auth

On Fri, Sep 26, 2003 at 10:35:30AM -0400, noam+ipfilter@noam.com wrote:
> > Okay..this is a bug in ipf.
> >
> > Please try the attached patch (only need to recompile ipfstat, not
> > the kernel).
>
> The ioctl error is gone, but I don't see a list..
>
> # ./SunOS5/i386-5.8/ipfstat -A
> Authorisation hits: 91 misses 2669
> nospace 0
> added 91
> sendfail 0
> sendok 0
> queok 91
> quefail 0
> expire 0
> #

Ah/./I finall get it.

You are mixing auth and preauth.

With "auth", whenever an packet matches an "auth" rule, the kernel
sends data about the packet to a userland daemon. This daemon can
then decide to allow or block the packet.

WIth preauth, you have a set of temporary rules you an out into the
kernel. When a packet matches such a rule an automatic keep state entry
is created. Given your source code, it seems you want preauth.

So:
1) Add preauth rules to your ipf rules. When packet match such a rule,
ipf will go check the preauth list. If a match is found, processing will
stop. If no match is found, the other (normal) ipf rules will be
evaluated.
2) Change your program to use SIOCADAFR in stead of SIOCAUTHW.

If correct, then you will indeed see the list of rules you entered
into the kernel with SIOCADAFR, when running ipstat -A.

-Guido