From owner-freebsd-net@FreeBSD.ORG Tue Dec 14 15:27:20 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C392216A4CE for ; Tue, 14 Dec 2004 15:27:20 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0289843D2D for ; Tue, 14 Dec 2004 15:27:20 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 27599 invoked from network); 14 Dec 2004 15:16:11 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 14 Dec 2004 15:16:11 -0000 Message-ID: <41BF0657.3CF0ED10@freebsd.org> Date: Tue, 14 Dec 2004 16:27:19 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Bruce M Simpson References: <41BEF2AF.470F9079@freebsd.org> <20041214141307.GA684@empiric.icir.org> <41BEF670.95C30ED5@freebsd.org> <20041214150148.GC684@empiric.icir.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters, design approach X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 15:27:20 -0000 Bruce M Simpson wrote: > > Hi, > > At this point I'm tempted to explicitly *not* roll support for IPFW1 > in XORP's ACL manager precisely because of its limitations; see below. I'd say IPFW1 is dead. Just ignore it and require IPFW2 on 4.x. > On Tue, Dec 14, 2004 at 03:19:28PM +0100, Andre Oppermann wrote: > > IPFW2 does have this functionality. It's called "sets" of rules which > > you can atomically swap, enable, disable, flush and intermix with each > > other. It's there, read ipfw(8), it's on the 15th line. > > OK. This is probably something I can deal with. Basically XORP has an > intermediate rule representation which tries to be generic enough to > deal with divergent packet filter implementations across various OS > platforms, and yet specific enough to be useful. > > A XORP rule tuple looks like this: > ifname, vifname, src, dst, proto, sport, dport, action > Rule matches take place on all fields but the 'action' part of the tuple. Can you provide examples of a XORP packet filter rule set? > The interface to XORP's packet ACL manager is transaction driven to ensure > atomicity. Where this atomicity can't be guaranteed by the underlying > back-end, the back-end should attempt to mimic it using whatever tricks > are necessary. > > Snapshots get taken at two levels: XORP's intermediate representation > described above, and the back-end's state. These snapshots can be taken > either for the purpose of safely rolling back state when rulesets are > being changed, or for communicating rulesets between different parts of > the packet ACL system. > > I would imagine that mapping between an IPFW2 'set' and a PaIpfwBackend > snapshot on the fly would do the trick. Perfect match. You can even keep up to 32 versions in the kernel and do one-syscall rollback's/forward's to any of them. > I just committed the core of XORP's ACL manager last week, please feel > free to have a look at it and give me feedback. I did take a quick look but my c++ understanding is horribly and I don't have time to work myself through the XORP framework. -- Andre