From owner-freebsd-net@FreeBSD.ORG Wed Dec 15 23:34:22 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB81F16A4CE; Wed, 15 Dec 2004 23:34:22 +0000 (GMT) Received: from ylpvm29.prodigy.net (ylpvm29-ext.prodigy.net [207.115.57.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7525F43D5D; Wed, 15 Dec 2004 23:34:22 +0000 (GMT) (envelope-from kbyanc@posi.net) Received: from gateway.posi.net (adsl-63-201-91-37.dsl.snfc21.pacbell.net [63.201.91.37])iBFNYC1s003116; Wed, 15 Dec 2004 18:34:15 -0500 Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (Postfix) with ESMTP id BAEC175E102; Wed, 15 Dec 2004 16:36:12 -0800 (PST) Date: Wed, 15 Dec 2004 16:36:12 -0800 (PST) From: Kelly Yancey To: Andre Oppermann In-Reply-To: <41C0C565.23D7053E@freebsd.org> Message-ID: <20041215162028.Y46745@gateway.posi.net> References: <20041213124051.GB32719@cell.sick.ru> <20041213104200.A62152@xorpc.icir.org> <20041214015603.A75019@xorpc.icir.org> <20041214130712.GA46386@cell.sick.ru><41C0C565.23D7053E@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Luigi Rizzo cc: Max Laier cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters [summary] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Dec 2004 23:34:23 -0000 On Thu, 16 Dec 2004, Andre Oppermann wrote: > Kelly Yancey wrote: > > > > How about a generic per-interface pfil demultiplexer? That is, a module > > that uses the existing pfil hooks to in turn call per-interface hooks. > > As Luigi suggested earlier, it would be possible to use the interface > > index to index an array private to the multiplexer's implementation. > > If each element in this array had its own pfil_head, then the demultiplexer > > could then call pfil_run_hooks() using that list. This would allow you > > to have your per-interface hooks in a generic way without changing a line > > of existing code. It could be entirely encapsulated in kld. Provided an > > API to manipulate the per-interface pfil registration, you could even run > > different filters on different interfaces. > > You'de even have a chance of back-porting it to FreeBSD 5.x since you > > won't be changing the ifnet structure at all. > > You'd have to change all firewall packages too. Currently they are not > aware of and can't deal with multiple rule chain heads. The is the > second main problem of Gleb implementation proposal so far. > > Nothing prevents generic routines to have the demultiplexer you describe > but it's use and handling has to be inside each firewall package. > Absolutely. You could only use such a demultiplexer to select which interfaces filters would apply to. The issue of implementing different behavior depending on the interface (e.g. a firewall implementing per-interface rulesets) is necessarily a matter for the filter not the framework. That said, since we have 3 firewall implementations, you could use the demultiplexer to have 3 different sets of rules, each applied to a different subset of the interfaces. :) Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com "An enlightened people, and an energetic public opinion... will control and enchain the aristocratic spirit of the government." --Thomas Jefferson