On Wed, Apr 07, 2004 at 03:43:12PM -0400, Steve Bellovin wrote:
>I've implemented if_null, the network equivalent of /dev/null.  It has
>several purposes:  remote-triggered routing black holes (see
>http://www.nanog.org/mtg-0402/pdf/morrow.pdf ); and
>an easier way to monitor all traffic to some dummy destination.
>tcpdump on the input interface works, of course, but bpf has
>to filter a lot of "uninteresting" data.  With if_null, you can
>route such traffic to a null interface, and pick up everything with
>tcpdump.
>
>The difference between if_null and RTF_BLACKHOLE is that the discard 
>notion is tied to the interface, rather than to the route.  Taking out 
>the indirection is what allows remote-triggered black holes to work.
>It also provides for byte and packet counters for the discarded packets.
>
>if_null is a clone device:
>
>        ifconfig null0 create
>        ifconfig null0 192.168.42.42
>
>and was derived from if_gre.c.  I *think* I deleted all of the
>no-longer-necessary code.

i did this once, but i called it "nul" instead of "null".  i was
probably thinking that i liked cisco's name or something.  fwiw, i
copied if_loop.c instead, and ripped the bottom off it.  i've still
got it around here somewhere...

>You can pick up a copy at http://www.machshav.com/~smb/if_null .
>I compiled and tested it on 2.0beta; it will probably work on -current 
>without change.  I have no idea what would happen on 1.6.2.

indeed, i had trouble making mine do "the right thing" with ipv6.
does yours do do?  for some reason, i was always able to ping whatever
v6 address i assigned to the interface, leading me to believe that v6
was something i needed to know yet more about when i had more time...

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."