From owner-svn-src-head@freebsd.org Thu Dec 19 03:54:41 2019 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5AA071D3962; Thu, 19 Dec 2019 03:54:41 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47ddL75Tsrz4CNw; Thu, 19 Dec 2019 03:54:39 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id hmtWi59hsRnrKhmtXisJIZ; Wed, 18 Dec 2019 20:54:37 -0700 X-Authority-Analysis: v=2.3 cv=L7FjvNb8 c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=IkcTkHD0fZMA:10 a=pxVhFHJ0LMsA:10 a=vaJtXVxTAAAA:8 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=-lIj-iCUnQlwtHlztJ0A:9 a=QEXdDO2ut3YA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=bWyr8ysk75zN3GCy5bjg:22 Received: from [192.168.1.105] (S0106002401cb186f.gv.shawcable.net [70.67.125.17]) by spqr.komquats.com (Postfix) with ESMTPSA id 10B9B1200; Wed, 18 Dec 2019 19:54:34 -0800 (PST) Date: Wed, 18 Dec 2019 07:09:45 -0800 User-Agent: K-9 Mail for Android In-Reply-To: References: <201901312301.x0VN13lM097213@repo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf To: "Andrey V. Elsukov" , Gleb Smirnoff , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org From: Cy Schubert Message-ID: X-CMAE-Envelope: MS4wfLcJ2koVMk//iOrcgtELErJUtWPUsS+J+yLbI8+LsR9PjSEkfGAD2R9uq3uAwxVb3I++yBo23XbmZpe88v87pUlxuAH2UEilXy/1KQ/WoO7+pmc0PDhB WIJlgObMVXOMyaiLxueqrmwfakgdO2GCZAcixwXdv8v44qdwGKBVJ08h23PCJVA2NgQJrS11FfWbj/rsOjMIb2k6xvNsLJF8JxGjWe0AtxSHCvNr3SXJ6Hmq Vo5zpsmMif9HSw70yt6IGBvR84tCXrmQhhdp51FU2K+08KtCl7QIgw67nwylXRTMwqfUoRS6VKBK3oSG5eDM7w== X-Rspamd-Queue-Id: 47ddL75Tsrz4CNw X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 64.59.136.138) smtp.mailfrom=cy.schubert@cschubert.com X-Spamd-Result: default: False [-4.53 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[17.125.67.70.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[]; FREEMAIL_TO(0.00)[yandex.ru]; RCVD_IN_DNSWL_LOW(-0.10)[138.136.59.64.list.dnswl.org : 127.0.5.1]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(-2.33)[ip: (-6.07), ipnet: 64.59.128.0/20(-3.09), asn: 6327(-2.40), country: CA(-0.09)]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Dec 2019 03:54:41 -0000 On December 18, 2019 4:27:58 AM PST, "Andrey V=2E Elsukov" wrote: >On 01=2E02=2E2019 02:01, Gleb Smirnoff wrote: >> Author: glebius >> Date: Thu Jan 31 23:01:03 2019 >> New Revision: 343631 >> URL: https://svnweb=2Efreebsd=2Eorg/changeset/base/343631 >>=20 >> Log: >> New pfil(9) KPI together with newborn pfil API and control utility=2E >> =20 >> The KPI have been reviewed and cleansed of features that were >planned >> back 20 years ago and never implemented=2E The pfil(9) internals >have >> been made opaque to protocols with only returned types and function >> declarations exposed=2E The KPI is made more strict, but at the same >time >> more extensible, as kernel uses same command structures that >userland >> ioctl uses=2E >> =20 >> In nutshell [KA]PI is about declaring filtering points, declaring >> filters and linking and unlinking them together=2E >> =20 >> New [KA]PI makes it possible to reconfigure pfil(9) configuration: >> change order of hooks, rehook filter from one filtering point to a >> different one, disconnect a hook on output leaving it on input >only, >> prepend/append a filter to existing list of filters=2E >> =20 >> Now it possible for a single packet filter to provide multiple >rulesets >> that may be linked to different points=2E Think of per-interface ACLs >in >> Cisco or Juniper=2E None of existing packet filters yet support that, >> however limited usage is already possible, e=2Eg=2E default ruleset c= an >> be moved to single interface, as soon as interface would pride >their >> filtering points=2E >> =20 >> Another future feature is possiblity to create pfil heads, that >provide >> not an mbuf pointer but just a memory pointer with length=2E That >would >> allow filtering at very early stages of a packet lifecycle, e=2Eg=2E >when >> packet has just been received by a NIC and no mbuf was yet >allocated=2E >It seems that this commit has changed the error code returned from >ip[6]_output() when a packet is blocked=2E Previously it was EACCES, but >now it became EPERM=2E Was it intentional? EPERM, operation not permitted regardless of privilege, is more appropriat= e=2E=20 --=20 Pardon the typos and autocorrect, small keyboard in use=2E=20 Cy Schubert FreeBSD UNIX: Web: https://www=2EFreeBSD=2Eorg The need of the many outweighs the greed of the few=2E Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E