Date: Wed, 15 Dec 2004 00:41:03 +0100 From: Jeremie Le Hen <jeremie@le-hen.org> To: Gleb Smirnoff <glebius@freebsd.org> Cc: net@freebsd.org Subject: Re: per-interface packet filters Message-ID: <20041214234102.GF740@obiwan.tataz.chchile.org> In-Reply-To: <20041214132031.GB46386@cell.sick.ru> References: <20041213124051.GB32719@cell.sick.ru> <41BDABFB.E64C0A31@freebsd.org> <20041213184700.GA37107@cell.sick.ru> <41BE0E89.AE21445@freebsd.org> <20041214091652.GE42820@cell.sick.ru> <41BEE50E.6AA4FA4@freebsd.org> <20041214132031.GB46386@cell.sick.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 14, 2004 at 04:20:31PM +0300, Gleb Smirnoff wrote:
>>> ipfw syntax will be 100% backward compatible. The following keywords would
>>> be added:
>>>
>>> ipfw chain list - list configured chains
>>> ipfw chain add | delete - delete, remove chain
>>> ipfw chain _number_ [common rule definition] - add/delete rules to
>>> non-default chain
>>>
>>> It would be possible to attach chains to interfaces specifing also
>>> direction. It will be done with ifconfig, or a specific utility (not yet
>>> decided).
>>
>> Why don't you specify the interface directly in the syntax? That would be
>> more in line with ease of use instead of having yet another logical
>> indirection?
>>
>> ipfw fxp0 add permit ip from any to any
>
> Because one chain may be used for several interfaces. One can be used for
> ng_pfil node. One can be not used at all, but it is hanging there, so that
> it can replace the one used by interface (this is what bms requested for
> XORP).
If you introduce this kind of logical indirection, why would you
restrict these chains to be used only if the interface matched ? I
mean that any of available packet-filter matches (src or dst ip, proto,
ports, TCP flags or even ttl...) may be used as a requirement to reach
this chain. This is how the Linux NetFilter framework is designed [1].
Quote from Linux iptables(8) manual page [2] :
<< Iptables is used to set up, maintain, and inspect the tables of
IP packet filter rules in the Linux kernel. Several different
tables may be defined. Each table contains a number of built-in
chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets.
Each rule specifies what to do with a packet that matches. This
is called a `target', which may be a jump to a user-defined
chain in the same table. >>
Note that I am not saying that NetFilter is better (I would be silly
to do it here ;-)), but nevertheless it may have some interesting ideas
to consider while talking about extending FreeBSD firewall framework,
IMHO.
[1] http://www.docum.org/docum.org/kptd/
[2] http://sman.informatik.htw-dresden.de/man/ALL/iptables.html#sect2
Regards,
--
Jeremie Le Hen
jeremie@le-hen.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041214234102.GF740>