From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:58:14 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 9BED716A4CF; Thu, 16 Sep 2004 03:58:14 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 8831 invoked by uid 1005); 11 Dec 2003 10:35:29 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 8828 invoked from network); 11 Dec 2003 10:35:29 -0000 Received: from moutng.kundenserver.de (212.227.126.188) by pd9530e66.dip.t-dialin.net with SMTP; 11 Dec 2003 10:35:29 -0000 Received: from [212.227.126.215] (helo=mxng19.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1AUO6O-00010g-00 for max@vampire.homelinux.org; Thu, 11 Dec 2003 11:31:24 +0100 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng19.kundenserver.de with esmtp (Exim 3.35 #1) id 1AUO6L-000141-00 for max@love2party.net; Thu, 11 Dec 2003 11:31:21 +0100 Received: from turing (localhost [127.0.0.1])ESMTP id 82D79394973; Thu, 11 Dec 2003 05:15:30 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Thu, 11 Dec 2003 05:15:21 -0500 (EST) X-Original-To: pf4freebsd@freelists.org Delivered-To: pf4freebsd@freelists.org Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) ESMTP id 11F8939494D for ; Thu, 11 Dec 2003 05:15:19 -0500 (EST) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) hBBAV3NX012993 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 11 Dec 2003 11:31:03 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.12.10/8.12.10/Submit) id hBBAV2Ih017659; Thu, 11 Dec 2003 11:31:02 +0100 (MET) From: Daniel Hartmeier To: pf4freebsd@freelists.org Message-ID: <20031211103102.GF24011@insomnia.benzedrine.cx> References: <20031210184630.29a41d83.dpphln@tin.it> <200312102015.42768.max@love2party.net> <200312110156.33089.max@love2party.net> Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200312110156.33089.max@love2party.net> User-Agent: Mutt/1.4.1i X-archive-position: 236 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: daniel@benzedrine.cx Precedence: normal X-list: pf4freebsd Content-Transfer-Encoding: quoted-printable X-Provags-Forward: max@love2party.net -> max@vampire.homelinux.org X-UID: 354 X-Length: 5205 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:59:49 +0000 cc: pf Subject: [pf4freebsd] Re: Problem with pf and ng0 interface. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:58:14 -0000 X-Original-Date: Thu, 11 Dec 2003 11:31:02 +0100 X-List-Received-Date: Thu, 16 Sep 2004 03:58:14 -0000 On Thu, Dec 11, 2003 at 01:56:33AM +0100, Max Laier wrote: > I didn't think about this to the end ... but it would not hurt (too muc= h) to=20 > have rules for non-existent interfaces. As long as they are not used in= =20 > route-to context that is. Some changes will have to be made. The current scheme is - rules sent through ioctl to the kernel (pfctl -> pf) contain the interface name (or an empty string, if the rule should apply to any interface) - the kernel calls ifunit() to get a the address of the struct ifnet with that name, this happens when the rule is loaded (transfered through ioctl) - anything afterwards only uses the struct ifnet pointer, pf_test() gets passed the struct ifnet pointer of the interface the packet attempts to pass, and compares it with rules' struct ifnet pointers. This was done to prevent string comparisons during ruleset evaluation, an address comparison is cheaper than comparing two strings for each packet for each rule. There are, however, some issues with this: a) interface name to pointer translation is done at ruleset load time, so interfaces must exist when the ruleset is loaded. b) name to pointer translation is assumed to give a constant result (i.e. ifunit("xl0") is assumed to return the same address on every invocation). This is violated for instance when you unplug and re- attach an USB NIC like kue(4). With interface cloning, however, this becomes a more prominent problem. c) we're thinking about adding support for interface wildcards, like 'pass in on xl*' where xl* would match xl0, xl1, etc. when present. d) with laptops, you often have several NICs that might be used equivalently (like, either wi0 or fxp0 is used, depending on whether there's wireless or not). It would be nice if you could load, say pass out on { wi0, fxp0 } keep state even if wi0 doesn't exist at boot time. Later, when you plug in a PCMCIA wi0, you wouldn't need to reload the ruleset, but the existing rule would match the new interface. So, all of this is certainly possible with string comparisons. But I'd like to prevent doing that on every rule evaluation. Maybe still do some name to ifnet translation, but either trigger re-translations from outside when ifnets change, or do it from inside pf, maybe with a timer. Daniel