Oh hey, this is a good answer. I read the file and it looks straight forward. A
little unattractive in that you have to compute the checksums and fiddle with
the rules directly, but it will at least give the possibility to add this kind
of support to stunnel or similar software. Perhaps it could be cleaned up, and
API-ified somewhat in future.
Since it uses ioctl and IPFILTER_VERSION, I assume it is for V4 and up only.
That is acceptable.
So with some small stunnel patch, one could do a SSL accellerator black box,
perhaps I will amuse myself with that during idle times..
Thanks,
Lund
Carson Gaspar wrote:
--On Wednesday, May 17, 2006 11:44 AM +0900 Jorgen Lundman
<[EMAIL PROTECTED]> wrote:
But to me that still feels very hacky. It would be more desirable if you
could make a competing "black box" solution with IPFilter+SSL, and not
require the SSL overhead on the client servers at all (which is one of
the points of SSL accellerators).
You can. You just need to add support for IP filter to stunnel. See
samples/proxy.c in the source distribution for an example of the NAT API
used to accomplish this.
--
Jorgen Lundman | <[EMAIL PROTECTED]>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)
