From owner-freebsd-net@FreeBSD.ORG Mon Jan 30 21:08:37 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 718F5106566B for ; Mon, 30 Jan 2012 21:08:37 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 2AFA98FC18 for ; Mon, 30 Jan 2012 21:08:36 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1RrySq-0006bH-7b for freebsd-net@freebsd.org; Mon, 30 Jan 2012 22:08:36 +0100 Received: from broadband-77-37-240-109.nationalcablenetworks.ru ([77.37.240.109]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 30 Jan 2012 22:08:36 +0100 Received: from vadim_nuclight by broadband-77-37-240-109.nationalcablenetworks.ru with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 30 Jan 2012 22:08:36 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-net@freebsd.org From: Vadim Goncharov Date: Mon, 30 Jan 2012 21:08:25 +0000 (UTC) Organization: Nuclear Lightning @ Tomsk, TPU AVTF Hostel Lines: 91 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: broadband-77-37-240-109.nationalcablenetworks.ru X-Comment-To: Ermal Lu?i User-Agent: slrn/0.9.9p1 (FreeBSD) Cc: freebsd-hackers@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [PATCH] multiple instances of ipfw(4) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2012 21:08:37 -0000 Hi Ermal Lu?i! On Mon, 30 Jan 2012 13:01:13 +0100; Ermal Lu?i wrote about '[PATCH] multiple instances of ipfw(4)': > from needs on pfSense a patch for allowing multiple intances of > ipfw(4) in kernel to co-exist was developed. > It can be found here > https://raw.github.com/bsdperimeter/pfsense-tools/master/patches/RELENG_9_0/CP_multi_instance_ipfw.diff Hmm, looking at the lines if (oif && !(oif->if_flags & IFF_IPFW_FILTER)) return (IP_FW_PASS); it appears that a patch is made against somewhat private, I couldn't find that in stock FreeBSD. > It is used in conjuction with this tool > https://raw.github.com/bsdperimeter/pfsense-tools/master/pfPorts/ipfw_context/files/ipfw_context.c > It allows creation of contextes/instances and assignment of specific > interfaces to specific contexts/instances. It is not clear how to add a rule to a specific instance with this program. > Surely i know that this is not the best way to implement generically > but it gets the job done for us as it is, read below. > What i would like to know is if there is interest to see such > functionality in FreeBSD? > I am asking first to see if there is some consensus about this as a > feature, needed or not! > If interest is shown i will transform the patch to allow: > - ipfw(8) to manage the contextes create/destroy > - ipfw(8) to manage interface membership. Closing the race of two > parallell clients modifying different contextes. > There is another design choice to be made about storing the membership > of interfaces into contexts/instances, but i do not see that as > blocking. > It is quite handy feature, which can be exploited even to scale on SMP > machines by extending it to bind a specific instance(with its > interaces) to a specific CPU/core?! Not so simple/straightforward questions. On the one hand, there are at least /some/ people who need this. So the ipfw 'call'/'return' actions were already implemented, first appearing in 9.0-R / 8.3-R. And melifaro@ has patches to ipfw table allowing matching againt ifname, setting tablearg, which in conjunction with 'call' or 'skipto' could be used to make essentially the same functionality as your proposed patch, already in stock FreeBSD. On the other hand, both ipfw contexts and ipfw 'call' are very half-measures. The only goal was to give people something right now, and see how much this will be demanded, what feedback they'll give, etc. It is obvious there is no wide testing of 9.0-R (and 8.3-R too) right now. What I mean here about half-measures? The ipfw 'call' is just a sketch of my old ideas to completely reorganize ipfw to support multiple rulesets. To be generic and Right Thing(tm), this is a HUGE work, because: - each ipfw chain becomes independent netgraph(4) node - generic ng_pfil node usable not only for firewalls - chains may be called from each other (see iptables) - chains (actually netgraph nodes) may be bind to ifaces or any other place - main unnamed chain is called from pfil as before - rewrite ipfw & dummynet management from setsockopt() to netgraph messages - completely rewrite ipfw dynamic rules to not conflict with multiple rulesets, as now they just jump to parent static rule (need to be more like pf or iptables states). This item is hard but essential (you'll get a mess jumping to another ruleset), and ipfw contexts don't handle ot - while here, do other needed things, e.g. adding support for modules in both kernel and userland, loadable opcodes, keywords, etc. Even if not add something like bpf, that's ipfw_ng is probably a more major change than both ipfw2 and ipfw3 :) Due to various reasons in my private life, I was unable to do it in my spare time previous years. My new employer is a provider using FreeBSD on most machines, so I hope I could finally begin doing it at work (and for work), but only several months later after more actual tasks. But, all of this only makes sense to be generic for needs of broad masses of our users. And in pfSense ipfw users are actually only it's authors (all others see web interface), so it's better and more practical to not rely on such complex solution, but rather on something more simple and specialized for their needs. Such as your proposed ipfw contexts. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Anti-Greenpeace][Sober FreeBSD zealot][http://nuclight.livejournal.com]