From owner-freebsd-net@FreeBSD.ORG Tue Dec 14 23:40:59 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B75E716A4CE; Tue, 14 Dec 2004 23:40:57 +0000 (GMT) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FD2743D53; Tue, 14 Dec 2004 23:40:57 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-2.free.fr (Postfix) with ESMTP id D6EA1255975; Wed, 15 Dec 2004 00:40:54 +0100 (CET) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 9521340BB; Wed, 15 Dec 2004 00:41:03 +0100 (CET) Date: Wed, 15 Dec 2004 00:41:03 +0100 From: Jeremie Le Hen To: Gleb Smirnoff Message-ID: <20041214234102.GF740@obiwan.tataz.chchile.org> References: <20041213124051.GB32719@cell.sick.ru> <41BDABFB.E64C0A31@freebsd.org> <20041213184700.GA37107@cell.sick.ru> <41BE0E89.AE21445@freebsd.org> <20041214091652.GE42820@cell.sick.ru> <41BEE50E.6AA4FA4@freebsd.org> <20041214132031.GB46386@cell.sick.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041214132031.GB46386@cell.sick.ru> User-Agent: Mutt/1.5.6i cc: mlaier@freebsd.org cc: Andre Oppermann cc: net@freebsd.org Subject: Re: per-interface packet filters X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 23:41:00 -0000 On Tue, Dec 14, 2004 at 04:20:31PM +0300, Gleb Smirnoff wrote: >>> ipfw syntax will be 100% backward compatible. The following keywords would >>> be added: >>> >>> ipfw chain list - list configured chains >>> ipfw chain add | delete - delete, remove chain >>> ipfw chain _number_ [common rule definition] - add/delete rules to >>> non-default chain >>> >>> It would be possible to attach chains to interfaces specifing also >>> direction. It will be done with ifconfig, or a specific utility (not yet >>> decided). >> >> Why don't you specify the interface directly in the syntax? That would be >> more in line with ease of use instead of having yet another logical >> indirection? >> >> ipfw fxp0 add permit ip from any to any > > Because one chain may be used for several interfaces. One can be used for > ng_pfil node. One can be not used at all, but it is hanging there, so that > it can replace the one used by interface (this is what bms requested for > XORP). If you introduce this kind of logical indirection, why would you restrict these chains to be used only if the interface matched ? I mean that any of available packet-filter matches (src or dst ip, proto, ports, TCP flags or even ttl...) may be used as a requirement to reach this chain. This is how the Linux NetFilter framework is designed [1]. Quote from Linux iptables(8) manual page [2] : << Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table. >> Note that I am not saying that NetFilter is better (I would be silly to do it here ;-)), but nevertheless it may have some interesting ideas to consider while talking about extending FreeBSD firewall framework, IMHO. [1] http://www.docum.org/docum.org/kptd/ [2] http://sman.informatik.htw-dresden.de/man/ALL/iptables.html#sect2 Regards, -- Jeremie Le Hen jeremie@le-hen.org