Date: Wed, 18 Dec 2019 15:27:58 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf Message-ID: <f88b296e-d03a-8c43-3202-6ece60974b10@yandex.ru> In-Reply-To: <201901312301.x0VN13lM097213@repo.freebsd.org> References: <201901312301.x0VN13lM097213@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --a7nsQTPZBur41JjqANZm3RUKBGJfa16NX Content-Type: multipart/mixed; boundary="smYsCYNnfwvYhp1wjHjnzubMUhCdNK0MW"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-ID: <f88b296e-d03a-8c43-3202-6ece60974b10@yandex.ru> Subject: Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf References: <201901312301.x0VN13lM097213@repo.freebsd.org> In-Reply-To: <201901312301.x0VN13lM097213@repo.freebsd.org> --smYsCYNnfwvYhp1wjHjnzubMUhCdNK0MW Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 01.02.2019 02:01, Gleb Smirnoff wrote: > Author: glebius > Date: Thu Jan 31 23:01:03 2019 > New Revision: 343631 > URL: https://svnweb.freebsd.org/changeset/base/343631 >=20 > Log: > New pfil(9) KPI together with newborn pfil API and control utility. > =20 > The KPI have been reviewed and cleansed of features that were planned= > back 20 years ago and never implemented. The pfil(9) internals have > been made opaque to protocols with only returned types and function > declarations exposed. The KPI is made more strict, but at the same ti= me > more extensible, as kernel uses same command structures that userland= > ioctl uses. > =20 > In nutshell [KA]PI is about declaring filtering points, declaring > filters and linking and unlinking them together. > =20 > New [KA]PI makes it possible to reconfigure pfil(9) configuration: > change order of hooks, rehook filter from one filtering point to a > different one, disconnect a hook on output leaving it on input only, > prepend/append a filter to existing list of filters. > =20 > Now it possible for a single packet filter to provide multiple rulese= ts > that may be linked to different points. Think of per-interface ACLs i= n > Cisco or Juniper. None of existing packet filters yet support that, > however limited usage is already possible, e.g. default ruleset can > be moved to single interface, as soon as interface would pride their > filtering points. > =20 > Another future feature is possiblity to create pfil heads, that provi= de > not an mbuf pointer but just a memory pointer with length. That would= > allow filtering at very early stages of a packet lifecycle, e.g. when= > packet has just been received by a NIC and no mbuf was yet allocated.= It seems that this commit has changed the error code returned from ip[6]_output() when a packet is blocked. Previously it was EACCES, but now it became EPERM. Was it intentional? --=20 WBR, Andrey V. Elsukov --smYsCYNnfwvYhp1wjHjnzubMUhCdNK0MW-- --a7nsQTPZBur41JjqANZm3RUKBGJfa16NX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl36G04ACgkQAcXqBBDI oXqmyAf8CbZmnbYgkuv6czq3jjlqqyXJo3NrqXLgKVjiuvoAUyh7LVIoVoec/LYe P6h0TlI2VAZghUMjeRMTiIVpIUjSTAHQJIxYLINfMIJmAaVjE+UQn12RCnbRt/wh EJtIIlyd4HG7STKhe9bgqIV55o+nvtWB58vpw+hp/vB0TaVRp+Vqi76IuWNmFZhB KSu8XoygS005mtLGr6xjEUpvGCHpsflKQkXc+Y+H0t1utJgofHgdv9BHm14Ut4pm CqGpOLH0/aXQGcMC40IPHlPyS0A8sHqEn3E97ucLezWOfhRNWP4if55e1XT0dl8K YpgrDCA8HgC9JFJ+Na7WXldFcrlIxA== =WVtX -----END PGP SIGNATURE----- --a7nsQTPZBur41JjqANZm3RUKBGJfa16NX--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f88b296e-d03a-8c43-3202-6ece60974b10>