Date: Thu, 16 Sep 2004 03:58:14 -0000 From: Daniel Hartmeier <daniel@benzedrine.cx> To: pf4freebsd@freelists.org Cc: pf <pf@benzedrine.cx> Subject: [pf4freebsd] Re: Problem with pf and ng0 interface. Message-ID: <20031211103102.GF24011@insomnia.benzedrine.cx> In-Reply-To: <200312110156.33089.max@love2party.net> References: <20031210184630.29a41d83.dpphln@tin.it> <200312102015.42768.max@love2party.net> <200312110156.33089.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 11, 2003 at 01:56:33AM +0100, Max Laier wrote:
> I didn't think about this to the end ... but it would not hurt (too muc=
h) to=20
> have rules for non-existent interfaces. As long as they are not used in=
=20
> route-to context that is.
Some changes will have to be made. The current scheme is
- rules sent through ioctl to the kernel (pfctl -> pf) contain the
interface name (or an empty string, if the rule should apply to
any interface)
- the kernel calls ifunit() to get a the address of the struct ifnet
with that name, this happens when the rule is loaded (transfered
through ioctl)
- anything afterwards only uses the struct ifnet pointer, pf_test()
gets passed the struct ifnet pointer of the interface the packet
attempts to pass, and compares it with rules' struct ifnet pointers.
This was done to prevent string comparisons during ruleset evaluation,
an address comparison is cheaper than comparing two strings for each
packet for each rule.
There are, however, some issues with this:
a) interface name to pointer translation is done at ruleset load time,
so interfaces must exist when the ruleset is loaded.
b) name to pointer translation is assumed to give a constant result
(i.e. ifunit("xl0") is assumed to return the same address on every
invocation). This is violated for instance when you unplug and re-
attach an USB NIC like kue(4). With interface cloning, however,
this becomes a more prominent problem.
c) we're thinking about adding support for interface wildcards,
like 'pass in on xl*' where xl* would match xl0, xl1, etc.
when present.
d) with laptops, you often have several NICs that might be used
equivalently (like, either wi0 or fxp0 is used, depending on
whether there's wireless or not). It would be nice if you could
load, say
pass out on { wi0, fxp0 } keep state
even if wi0 doesn't exist at boot time. Later, when you plug
in a PCMCIA wi0, you wouldn't need to reload the ruleset, but
the existing rule would match the new interface.
So, all of this is certainly possible with string comparisons. But I'd
like to prevent doing that on every rule evaluation. Maybe still do some
name to ifnet translation, but either trigger re-translations from
outside when ifnets change, or do it from inside pf, maybe with a timer.
Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031211103102.GF24011>