Date: Tue, 14 Dec 2004 15:23:02 +0100 From: Andre Oppermann <andre@freebsd.org> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters [summary] Message-ID: <41BEF746.E8362858@freebsd.org> References: <20041213124051.GB32719@cell.sick.ru> <20041214085123.GB42820@cell.sick.ru> <20041214015603.A75019@xorpc.icir.org> <41BEE0E7.BD2316EB@freebsd.org> <20041214060341.A77720@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > > On Tue, Dec 14, 2004 at 01:47:35PM +0100, Andre Oppermann wrote: > ... > > > Implementationwise, the kernel side is evidently trivial as the > > > original code already supports the idea of multiple chains. All > > > you need is to extend the struct ifnet with a pointer to the chain, > > > or use some other trick (e.g. going through ifindex) to quickly > > > associate a chain to the input (and possibly output) interface. > > > > Nonononononononononononononononononononononono. > > andre you need to cool down a bit! I'm not angry but frustrated. In the network area it's too much 'lets quickly hack this in' instead of 'lets carefully design this in'. > i said "use some other trick" exactly to avoid changing > the struct ifnet. All i meant to say is that we want a unique > key, possibly in a small namespace, to quickly locate the per-if > private firewall info. How the key is used is not a business of > the rest of the kernel. But of course if it is an index in a > smallish array (such as ifindex) the thing is fast and clean. Ok, I'm fine with *this* approach. This can be done and handled inside ipfw_check_in|out() based on the interface pointer information passed in from pfil_run_hooks(). Then inside IPFW it can be implemented with multiple rule chains although I'm not convinced this would be the smartest approach. Wouldn't it be even better to have per-interface and global rules after each other? This way your problem with the general rule synching can be solved. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41BEF746.E8362858>