Date: Sat, 21 Oct 2006 03:07:19 +0200 From: Max Laier <max@love2party.net> To: freebsd-net@freebsd.org Cc: andre@freebsd.org, Julian Elischer <julian@elischer.org> Subject: Re: PFIL hooks etc. Message-ID: <200610210307.25911.max@love2party.net> In-Reply-To: <4539546F.6070705@elischer.org> References: <4539546F.6070705@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1523085.bxqrzBJcI8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 21 October 2006 00:57, Julian Elischer wrote: > I'm looking at some changes to the pfil and ipfw code. > > I notice that the pfil changes for link layer and bridge based > filtering have not been completed yet.. > (by which I mean that ipfw is still called directly > from those places rather than via pfil. Is anyone working on this? > I have been playing around with filtering bridges and > notice that there is no way for pfil to tell the > called modules (e.g. ipfw) that it was called from a bridge as opposed > to having been called from the ethernet framework. > > I see two possible ways this could be done. > 1/ adding a filter list head with a different KEY/KEYTYPE > for example > adding a third keytype: > > #define PFIL_TYPE_AF 1 /* key is AF_* type */ > #define PFIL_TYPE_IFNET 2 /* key is ifnet pointer */ > #define PFIL_TYPE_BRIDGE 3 /* key is ignored. Used for bridging > */ > > and making a special filter list for bridging. It would be possible > to use the ifnet associated with the bridge I guess but it would be > hard to find the right queue if you didn't know where the ifnet > for the bridge was. > > Possibly another way would be to extend the flags sent > with each packet do contain more than just the direction: > > #define PFIL_OUT 0x00000002 > #define PFIL_WAITOK 0x00000004 > #define PFIL_ALL (PFIL_IN|PFIL_OUT) > +#define PFIL_DIR (PFIL_IN|PFIL_OUT) > +#define PFIL_IPSTACK 0x00000010 > +#define PFIL_BRIDGE 0x00000020 > +#define PFIL_LINK 0x00000030 > +#define PFIL_CALLER 0x000000F0 > > > thus (flags & PFIL_CALLER) can be tested to see who called you. > and (flags & PFIL_DIR) can be tested to get the direction. > > thoughts? Andre has a WIP for this. I'll let him speak. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1523085.bxqrzBJcI8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFOXLNXyyEoT62BG0RAnSSAJ9WwNi0SKGgHlbadCkQsAVTV0z+CgCaAmn6 fOhDjoE1ljBUVHYL13DlUFg= =F+6E -----END PGP SIGNATURE----- --nextPart1523085.bxqrzBJcI8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610210307.25911.max>