> On 2 Mar 2016, at 02:32, Claer <cl...@claer.hammock.fr> wrote: > > Hello dear developers, > > I asked a friend, Mathieu Papineau, to help me with an issue I have with > npppd. > For a project here, I thought building multitenancy firewall with rdomain > support. For remote access, I wanted to use npppd to be able to authenticate > users in different domains in their respective domains using RADIUS. > > After some infructuous tests, it appears that npppd wasn't designed to support > rdomains. Mathieu developed the following patches to support the > functionnality I wished. Actually, due to the current limitation, it only > works with tun devices. The pppx driver does not support rdomain ioctls yet. > > The serie contains 12 patches, I'll try to post one per mail for easier > review. > > Thanks for review! > > Claer
hey claer, i had a quick look at the changes here and have a bit of feedback. firstly, i am concerned about setting the rdomain associated with the kernel interface in a separate ioctl. doing it that way allows for a race between when the interface is configured and when the rdomain is set. it is possible packets could move in an rdomain theyre not supposed to in that window, no matter how small it is. instead i would look at setting the rdomain when the session is created as part of struct pipex_session_req (see src/sys/net/pipex.h). in fact there is already a pr_rdomain member waiting to be uncommented and used. unfortunately that would invalidate a large chunk of the changes in the diffs you provided, and would require changes to the kernel to make pipex (and hopefully pppx) respect the rdomain userland provides. overall i think it will be simpler though. lastly, i really like the idea you're proposing. it would be very cool to see working. cheers, dlg
