From owner-freebsd-pf@FreeBSD.ORG Sun Dec 17 23:03:07 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2215116A40F for ; Sun, 17 Dec 2006 23:03:07 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB99043CA7 for ; Sun, 17 Dec 2006 23:03:05 +0000 (GMT) (envelope-from ermal.luci@gmail.com) Received: by py-out-1112.google.com with SMTP id f31so752103pyh for ; Sun, 17 Dec 2006 15:03:05 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=q/SZketeSq92M18uxtJQC2jhC0dcRIdZAbPXUDWpFkWPWuAchxNm8UoN+UDiJIeZzgZit2HekESQPaUt6NZhFZGCMqw/8jByCN6B2CTJSBBvVUjPMHcaaFA8xUAx+N3mdn7zkD9k/kIy2vLe6NQd4A/tGQF7okCxX2dfv7kh1u4= Received: by 10.35.45.1 with SMTP id x1mr6471472pyj.1166396585150; Sun, 17 Dec 2006 15:03:05 -0800 (PST) Received: by 10.35.126.2 with HTTP; Sun, 17 Dec 2006 15:03:05 -0800 (PST) Message-ID: <9a542da30612171503r2b032072j2acd1f48537081e1@mail.gmail.com> Date: Mon, 18 Dec 2006 00:03:05 +0100 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: freebsd-pf@freebsd.org Subject: PF - netgraph integration X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Dec 2006 23:03:07 -0000 Hello, i am writing a netgraph module to make PF communicate with netgraph subsystem and was wondering which method is better of handling PF tags on netgraph part, since they use strings for matching. Is it better patch ng_tag to handle strings too, like setting the type of hook to either PF tags compatible or normal(tag_id/current) one? Or just make an kinda aliasing of tag_id in ng_pf(the module i am writing) so when tags come from PF -> netgraph we assign a tag_id(consistent through netgraph) to the specified PF_tag, user configurable, and then revert to PF_tag when communicating from netgraph -> PF? Another issue is the way to handle rule parsing in PF when packets return from netgraph. Since PF cannot guarantee rule position/number to be the same after a reload of its ruleset. One i have thought about is use reinjecting the packet on the rules with one of M_PROTO[1-5] flags so we can distinguish if the packet have been sent once to netgraph(although i don't know if this is safe since other protocols/applications might use this flags)! Maybe intodruce a M_NETGRAPH_TO_PF flag like M_SKIP_FIREWALL, but i know this is not a preferable one since it inserts a special case to the kernel?! One forced solution is to create a 'static' anchor where rules about such packets can be created?! The last choice, maybe, is to pass the according rule to netgraph and refind it when sending the pakcket back to PF so it continues to the next rule, after the one we saved, but this seems really not efficent?! Please can you help out with these issues i am trying to find a good solution but ideas would be welcomed :). Thanks.