From owner-freebsd-net@FreeBSD.ORG  Fri Oct 20 22:57:52 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 713B516A412
	for <net@freebsd.org>; Fri, 20 Oct 2006 22:57:52 +0000 (UTC)
	(envelope-from prvs=julian=441c3ccac@elischer.org)
Received: from a50.ironport.com (a50.ironport.com [63.251.108.112])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4151643D5A
	for <net@freebsd.org>; Fri, 20 Oct 2006 22:57:52 +0000 (GMT)
	(envelope-from prvs=julian=441c3ccac@elischer.org)
Received: from unknown (HELO [10.251.18.229]) ([10.251.18.229])
	by a50.ironport.com with ESMTP; 20 Oct 2006 15:57:52 -0700
Message-ID: <4539546F.6070705@elischer.org>
Date: Fri, 20 Oct 2006 15:57:51 -0700
From: Julian Elischer <julian@elischer.org>
User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909)
MIME-Version: 1.0
To: net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: PFIL hooks etc.
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2006 22:57:52 -0000

I'm looking at some changes to the pfil and ipfw code.

I notice that the pfil changes for link layer and bridge based
filtering have not been completed yet..
(by which I mean that ipfw is still called directly
from those places rather than via pfil. Is anyone working on this?
I have been playing around with filtering bridges and
notice that there is no way for pfil to tell the
called modules (e.g. ipfw) that it was called from a bridge as opposed
to having been called from the ethernet framework.

I see two possible ways this could be done.
1/ adding a filter list head with a different KEY/KEYTYPE
   for example
adding a third keytype:

  #define PFIL_TYPE_AF        1   /* key is AF_* type */
  #define PFIL_TYPE_IFNET     2   /* key is ifnet pointer */
  #define PFIL_TYPE_BRIDGE    3   /* key is ignored. Used for bridging */

and making a special filter list for bridging. It would be possible
to use the ifnet associated with the bridge I guess but it would be
hard to find the right queue if you didn't know where the ifnet
for the bridge was.

Possibly another way would be to extend the flags sent
with each packet do contain more than just the direction:

  #define PFIL_OUT       0x00000002
  #define PFIL_WAITOK    0x00000004
  #define PFIL_ALL       (PFIL_IN|PFIL_OUT)
+#define PFIL_DIR       (PFIL_IN|PFIL_OUT)
+#define PFIL_IPSTACK   0x00000010
+#define PFIL_BRIDGE    0x00000020
+#define PFIL_LINK      0x00000030
+#define PFIL_CALLER    0x000000F0


thus (flags & PFIL_CALLER) can be tested to see who called you.
and (flags & PFIL_DIR) can be tested to get the direction.

thoughts?

Julian