From owner-freebsd-net@FreeBSD.ORG Tue Dec 14 14:31:18 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9409416A4CE; Tue, 14 Dec 2004 14:31:18 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 718BD43D1D; Tue, 14 Dec 2004 14:31:18 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.8) with ESMTP id iBEEVIsd078165; Tue, 14 Dec 2004 06:31:18 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id iBEEVIFf078164; Tue, 14 Dec 2004 06:31:18 -0800 (PST) (envelope-from rizzo) Date: Tue, 14 Dec 2004 06:31:18 -0800 From: Luigi Rizzo To: Andre Oppermann Message-ID: <20041214063118.B77933@xorpc.icir.org> References: <20041213124051.GB32719@cell.sick.ru> <20041214015603.A75019@xorpc.icir.org> <20041214060341.A77720@xorpc.icir.org> <41BEF746.E8362858@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <41BEF746.E8362858@freebsd.org>; from andre@freebsd.org on Tue, Dec 14, 2004 at 03:23:02PM +0100 cc: Max Laier cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters [summary] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 14:31:18 -0000 On Tue, Dec 14, 2004 at 03:23:02PM +0100, Andre Oppermann wrote: ... > > the struct ifnet. All i meant to say is that we want a unique > > key, possibly in a small namespace, to quickly locate the per-if > > private firewall info. How the key is used is not a business of > > the rest of the kernel. But of course if it is an index in a > > smallish array (such as ifindex) the thing is fast and clean. > > Ok, I'm fine with *this* approach. > > This can be done and handled inside ipfw_check_in|out() based on the > interface pointer information passed in from pfil_run_hooks(). > > Then inside IPFW it can be implemented with multiple rule chains > although I'm not convinced this would be the smartest approach. alternatives ? > Wouldn't it be even better to have per-interface and global rules > after each other? This way your problem with the general rule > synching can be solved. this is what gleb suggested later today, but i don't think this solves the problem because sometimes you want the common processing to be at the beginning, sometimes at the end of the chain... Plus there is the issue of namespace -- when you do 'skipto 1000' is this a rule number in the global or the private chain ? Having only *one* chain (either public or private) solves the problem although at the price of some extra copies of the firewall code. cheers luigi