From owner-freebsd-net@FreeBSD.ORG Mon Dec 13 14:49:33 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 887AB16A4CE for ; Mon, 13 Dec 2004 14:49:33 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B959A43D66 for ; Mon, 13 Dec 2004 14:49:32 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 18455 invoked from network); 13 Dec 2004 14:38:35 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 13 Dec 2004 14:38:35 -0000 Message-ID: <41BDABFB.E64C0A31@freebsd.org> Date: Mon, 13 Dec 2004 15:49:31 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Gleb Smirnoff References: <20041213124051.GB32719@cell.sick.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: net@freebsd.org Subject: Re: per-interface packet filters X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2004 14:49:33 -0000 Gleb Smirnoff wrote: > > Dear networkers, > > I finally managed to pronounce my idea, although I'm afraid > of a bikeshed it is going to be burried under. > > When managing a complex router with many interfaces the output > of `ipfw show` (or ipf/pf analog) is getting long and difficult to > understand. It is also important that many packets are checked > against the rules that can never be applied to them, wasting CPU > cycles. > > A simple example can be local network router with many inner interfaces > and with one interface to internet. Actually filtering is desired > only in external interface, and there is no need for local traffic > to enter packet fitlering routines, e.g. ipfw_chk(). Then you argument about long ipfw show doesn't hold... ;) > I'd like to implement per-interface pfil hooks, like in Cisco > world. Each interface may have 'in' list of rules, 'out' list > of rules. Current global ip_{input,output}, filters may coexist > with per-interface ones, but can be turned off. Different worlds. I wonder why everything has to "like Cisco". It's not always the most clever way they solve a given problem. > Our PFIL interface is quite ready for this, and this is very nice. I don't see any changes to pfil for this. Pfil already passes the interface in the argument call. This is something for the packet filters (ipfw/pf/ipf) than the pfil API? > I'll start with creating/editing alternative chains in ipfw. Then > we will need to add possibility to register per-interface hooks > in pfil, and add possibility to pass one more optional argument > from pfil to the filter itself. Can you provide example how you think the syntax should be? > I'm glad to see any constructive comments on plan. You have to be careful not to collide with the "in|out|via" inside the rules. -- Andre