Date: Thu, 31 Jan 2019 15:44:30 -0800 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf Message-ID: <d086aee2-c9bc-2947-f1cd-6921c0acbc88@FreeBSD.org> In-Reply-To: <201901312301.x0VN13lM097213@repo.freebsd.org> References: <201901312301.x0VN13lM097213@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Zm88ZyQXxqt1zgYRUw62e58AzfSFBjD8L Content-Type: multipart/mixed; boundary="MG8yPnvrACnE4sLycPNLhSh1pxKK947TS"; protected-headers="v1" From: Bryan Drewery <bdrewery@FreeBSD.org> To: Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-ID: <d086aee2-c9bc-2947-f1cd-6921c0acbc88@FreeBSD.org> Subject: Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf References: <201901312301.x0VN13lM097213@repo.freebsd.org> In-Reply-To: <201901312301.x0VN13lM097213@repo.freebsd.org> --MG8yPnvrACnE4sLycPNLhSh1pxKK947TS Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 1/31/19 3:01 PM, Gleb Smirnoff wrote: > Author: glebius > Date: Thu Jan 31 23:01:03 2019 > New Revision: 343631 > URL: https://svnweb.freebsd.org/changeset/base/343631 >=20 > Log: > New pfil(9) KPI together with newborn pfil API and control utility. > =20 > The KPI have been reviewed and cleansed of features that were planned= > back 20 years ago and never implemented. The pfil(9) internals have > been made opaque to protocols with only returned types and function > declarations exposed. The KPI is made more strict, but at the same ti= me > more extensible, as kernel uses same command structures that userland= > ioctl uses. > =20 > In nutshell [KA]PI is about declaring filtering points, declaring > filters and linking and unlinking them together. > =20 > New [KA]PI makes it possible to reconfigure pfil(9) configuration: > change order of hooks, rehook filter from one filtering point to a > different one, disconnect a hook on output leaving it on input only, > prepend/append a filter to existing list of filters. > =20 > Now it possible for a single packet filter to provide multiple rulese= ts > that may be linked to different points. Think of per-interface ACLs i= n > Cisco or Juniper. None of existing packet filters yet support that, > however limited usage is already possible, e.g. default ruleset can > be moved to single interface, as soon as interface would pride their > filtering points. > =20 > Another future feature is possiblity to create pfil heads, that provi= de > not an mbuf pointer but just a memory pointer with length. That would= > allow filtering at very early stages of a packet lifecycle, e.g. when= > packet has just been received by a NIC and no mbuf was yet allocated.= > =20 > Differential Revision: https://reviews.freebsd.org/D18951 >=20 > Added: > head/sbin/pfilctl/ > head/sbin/pfilctl/Makefile (contents, props changed) > head/sbin/pfilctl/pfilctl.8 (contents, props changed) > head/sbin/pfilctl/pfilctl.c (contents, props changed) > Modified: > head/ObsoleteFiles.inc > head/sbin/Makefile > head/share/man/man9/Makefile > head/share/man/man9/pfil.9 > head/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c > head/sys/net/if_bridge.c > head/sys/net/if_enc.c > head/sys/net/if_ethersubr.c > head/sys/net/if_var.h > head/sys/net/pfil.c > head/sys/net/pfil.h > head/sys/netinet/ip_fastfwd.c > head/sys/netinet/ip_input.c > head/sys/netinet/ip_output.c > head/sys/netinet/ip_var.h > head/sys/netinet/siftr.c > head/sys/netinet6/ip6_fastfwd.c > head/sys/netinet6/ip6_forward.c > head/sys/netinet6/ip6_input.c > head/sys/netinet6/ip6_output.c > head/sys/netinet6/ip6_var.h > head/sys/netpfil/ipfw/ip_fw_eaction.c > head/sys/netpfil/ipfw/ip_fw_pfil.c > head/sys/netpfil/pf/pf_ioctl.c This breaks the build. https://ci.freebsd.org/job/FreeBSD-head-powerpc64-build/9220/console > 23:28:54 cc1: warnings being treated as errors > 23:28:54 /usr/src/sbin/pfilctl/pfilctl.c: In function 'help': > 23:28:54 /usr/src/sbin/pfilctl/pfilctl.c:97: warning: nested extern dec= laration of '__progname' > 23:28:54 --- all_subdir_lib --- > 23:28:54 --- clog.3.gz --- > 23:28:54 gzip -cn /usr/src/lib/msun/man/clog.3 > clog.3.gz > 23:28:54 --- all_subdir_sbin --- > 23:28:54 *** [pfilctl.o] Error code 1 > 23:28:54=20 > 23:28:54 make[4]: stopped in /usr/src/sbin/pfilctl --=20 Regards, Bryan Drewery --MG8yPnvrACnE4sLycPNLhSh1pxKK947TS-- --Zm88ZyQXxqt1zgYRUw62e58AzfSFBjD8L Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE+Rc8ssOq6npcih8JNddxu25Gl88FAlxTiF4ACgkQNddxu25G l88sSQf9GMr7ZZ8Rq86aVpbS9zr4yKznwrmWGJ0OxKybl3J2L1HzUOZuJn5hUyKS 8PUjz3PoXab0jkNyECkNMsRhz4v3BDe59QMOBvtpr4j1tPGaY+QnM5qhGGkbz3Sb 4oaGz1I3Un9qZwqa9G95zcf0zgzy2cwVJv7mU3KwF/vyNmUjt9NOTCOpIs1qqNmH l6SeNqKIj+M1MSNz+aCoCTHkgiCAz6q6JDpwwGPxIFprU2t8Q1nnmccDun17Ldbs VTw0FjkjdHx/tvz008Sa9tMDz7ttSNbeGjNM+afJt8muMpE40yuNhjj6EoOMKasW S+8W5jYmILBCUBTCf8G2YE95j1ckCQ== =H82w -----END PGP SIGNATURE----- --Zm88ZyQXxqt1zgYRUw62e58AzfSFBjD8L--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d086aee2-c9bc-2947-f1cd-6921c0acbc88>