Date: Mon, 13 Dec 2004 15:40:51 +0300 From: Gleb Smirnoff <glebius@freebsd.org> To: net@freebsd.org Subject: per-interface packet filters Message-ID: <20041213124051.GB32719@cell.sick.ru>
next in thread | raw e-mail | index | archive | help
Dear networkers,
I finally managed to pronounce my idea, although I'm afraid
of a bikeshed it is going to be burried under.
When managing a complex router with many interfaces the output
of `ipfw show` (or ipf/pf analog) is getting long and difficult to
understand. It is also important that many packets are checked
against the rules that can never be applied to them, wasting CPU
cycles.
A simple example can be local network router with many inner interfaces
and with one interface to internet. Actually filtering is desired
only in external interface, and there is no need for local traffic
to enter packet fitlering routines, e.g. ipfw_chk().
I'd like to implement per-interface pfil hooks, like in Cisco
world. Each interface may have 'in' list of rules, 'out' list
of rules. Current global ip_{input,output}, filters may coexist
with per-interface ones, but can be turned off.
Our PFIL interface is quite ready for this, and this is very nice.
I'll start with creating/editing alternative chains in ipfw. Then
we will need to add possibility to register per-interface hooks
in pfil, and add possibility to pass one more optional argument
from pfil to the filter itself.
I'm glad to see any constructive comments on plan.
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041213124051.GB32719>