Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 14 Dec 2004 06:31:18 -0800
From:      Luigi Rizzo <rizzo@icir.org>
To:        Andre Oppermann <andre@freebsd.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: per-interface packet filters [summary]
Message-ID:  <20041214063118.B77933@xorpc.icir.org>
In-Reply-To: <41BEF746.E8362858@freebsd.org>; from andre@freebsd.org on Tue, Dec 14, 2004 at 03:23:02PM %2B0100
References:  <20041213124051.GB32719@cell.sick.ru> <20041214015603.A75019@xorpc.icir.org> <20041214060341.A77720@xorpc.icir.org> <41BEF746.E8362858@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Dec 14, 2004 at 03:23:02PM +0100, Andre Oppermann wrote:
...
> > the struct ifnet. All i meant to say is that we want a unique
> > key, possibly in a small namespace, to quickly locate the per-if
> > private firewall info. How the key is used is not a business of
> > the rest of the kernel. But of course if it is an index in a
> > smallish array (such as ifindex) the thing is fast and clean.
> 
> Ok, I'm fine with *this* approach.
> 
> This can be done and handled inside ipfw_check_in|out() based on the
> interface pointer information passed in from pfil_run_hooks().
> 
> Then inside IPFW it can be implemented with multiple rule chains
> although I'm not convinced this would be the smartest approach.

alternatives ?

> Wouldn't it be even better to have per-interface and global rules
> after each other?  This way your problem with the general rule
> synching can be solved.

this is what gleb suggested later today, but i don't think
this solves the problem because sometimes you want the common
processing to be at the beginning, sometimes at the end of the
chain... Plus there is the issue of namespace -- when you do
'skipto 1000' is this a rule number in the global or the
private chain ? Having only *one* chain (either public or
private) solves the problem although at the price of some
extra copies of the firewall code.


	cheers
	luigi

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041214063118.B77933>