SMF ipfilter support needs improvement
We currently have support for securing SMF-managed services with ipfilter. This is especially useful for securing RPC services using dynamic ports.As it happens this support is somewhat limited:
- supports only dropping of packets, there is no setting to return RST (TCP) or ICMP error messages (all other protocols)
- supports only filtering on source addresses, source address pools, and incoming interfaces
- supports only IPv4
For a few months now I have been running with a bunch of changes that allow IPv6 support, specifying a block policy, and filtering on destination addresses. It's time to have these upstreamed.