From owner-freebsd-net@FreeBSD.ORG Wed Dec 15 11:57:16 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71D0E16A4CE; Wed, 15 Dec 2004 11:57:16 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id B487343D31; Wed, 15 Dec 2004 11:57:15 +0000 (GMT) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id iBFBvA2f092988 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 15 Dec 2004 14:57:11 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.11/8.12.8) with ESMTP id iBFBvA8O055579 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 15 Dec 2004 14:57:10 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.sick.ru (8.12.11/8.12.11/Submit) id iBFBv9jS055578; Wed, 15 Dec 2004 14:57:10 +0300 (MSK) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@freebsd.org using -f Date: Wed, 15 Dec 2004 14:57:09 +0300 From: Gleb Smirnoff To: Andre Oppermann Message-ID: <20041215115709.GK54307@cell.sick.ru> Mail-Followup-To: Gleb Smirnoff , Andre Oppermann , vova@fbsd.ru, Luigi Rizzo , freebsd-net@freebsd.org References: <20041213124051.GB32719@cell.sick.ru> <200412131743.36722.max@love2party.net> <20041213104200.A62152@xorpc.icir.org> <20041214085123.GB42820@cell.sick.ru> <1103017203.1060.25.camel@localhost> <41BEE281.607DD0A8@freebsd.org> <1103035345.1060.55.camel@localhost> <41BF008D.AD79C9B@freebsd.org> <20041215081810.GA53509@cell.sick.ru> <41C0170F.95449D19@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <41C0170F.95449D19@freebsd.org> User-Agent: Mutt/1.5.6i X-Virus-Scanned: clamd / ClamAV version devel-20041013, clamav-milter version 0.75l on 127.0.0.1 X-Virus-Status: Clean cc: vova@fbsd.ru cc: Luigi Rizzo cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Dec 2004 11:57:16 -0000 On Wed, Dec 15, 2004 at 11:50:55AM +0100, Andre Oppermann wrote: A> First you change the way pfil_hooks is used in a multiprotocol incompatible A> way. Lets have a look at ip_input(): A> A> pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL); A> ^^^^^^^^^^^^^^ A> A> PFIL_HOOKS is a generic API with clear semantics. You can't just replace A> this inet_pfil_hook with an interface specific one. That would be INET A> only and you'd have to do the same for IPv6, IPX and whatever other protocols A> may come. A> A> Secondly the stuct ifnet would have to be extended with a pfil_head pointer A> for every protocol family in the system. This would be non-dynamic and A> would require a recompile of all drivers etc. when a protocol is added or A> removed. Struct ifnet is not a dynamic structure. Yes, it needs to be extended. An alternative is handling a table of interfaces vs chains inside firewalls. We are speaking a lot of design, which of above designs is better? Is it going to be easy to edit all these tables when an interface is destroyed? No. Would it be possible to know which chains/filters are used on interface via ifconfig? No. Would it be possible to avoid entering firewall functions when processing interfaces without ACLs? No. So, we are changing design in strange direction, because we don't want struct ifnet to grow? In Juniper|Cisco world, the fact that ACLs are attached in configuration of interfaces, but not firewalls, gives a strong suspection that they have it in their analog of struct ifnet. A> Thirdly have the modules that are hooked into the pfil_hooks no idea that A> they have to register multiple times with multiple chains and so on. This A> means that all firewall packages in FreeBSD need to be adjusted to deal A> with these changes, often in a non-trivial way, to continue to function. I'd like to avoid autohooking here. I'd prefer to have a userland utility which allows sysadmin to hook chain X from packet filter Y to interface fxp0 direction IN, protocol IPv4. Now we have autohooking to preserve compatibility with pre-pfil firewalls. A> And we lose the compatibility with NetBSD where the PFIL_HOOKS API comes A> from. Why? We just have more places where filters can be hooked. A> I hope you understand now that you change the PFIL_HOOKS API not in the A> binary or structure way but in use and semantics. Yes. Let's call it smth different to word API. A> So please put the PFIL_HOOKS discussion to a rest now as it simply won't A> happen. There are perfect alternatives to change IPFW to fit your needs A> within IPFW itself and with the information supplied by the PFIL_HOOKS API. Ok, "simply won't happen", is the words I was awaiting for. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE