Date: Mon, 13 Dec 2004 15:49:31 +0100 From: Andre Oppermann <andre@freebsd.org> To: Gleb Smirnoff <glebius@freebsd.org> Cc: net@freebsd.org Subject: Re: per-interface packet filters Message-ID: <41BDABFB.E64C0A31@freebsd.org> References: <20041213124051.GB32719@cell.sick.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Gleb Smirnoff wrote:
>
> Dear networkers,
>
> I finally managed to pronounce my idea, although I'm afraid
> of a bikeshed it is going to be burried under.
>
> When managing a complex router with many interfaces the output
> of `ipfw show` (or ipf/pf analog) is getting long and difficult to
> understand. It is also important that many packets are checked
> against the rules that can never be applied to them, wasting CPU
> cycles.
>
> A simple example can be local network router with many inner interfaces
> and with one interface to internet. Actually filtering is desired
> only in external interface, and there is no need for local traffic
> to enter packet fitlering routines, e.g. ipfw_chk().
Then you argument about long ipfw show doesn't hold... ;)
> I'd like to implement per-interface pfil hooks, like in Cisco
> world. Each interface may have 'in' list of rules, 'out' list
> of rules. Current global ip_{input,output}, filters may coexist
> with per-interface ones, but can be turned off.
Different worlds. I wonder why everything has to "like Cisco". It's
not always the most clever way they solve a given problem.
> Our PFIL interface is quite ready for this, and this is very nice.
I don't see any changes to pfil for this. Pfil already passes the
interface in the argument call. This is something for the packet
filters (ipfw/pf/ipf) than the pfil API?
> I'll start with creating/editing alternative chains in ipfw. Then
> we will need to add possibility to register per-interface hooks
> in pfil, and add possibility to pass one more optional argument
> from pfil to the filter itself.
Can you provide example how you think the syntax should be?
> I'm glad to see any constructive comments on plan.
You have to be careful not to collide with the "in|out|via" inside
the rules.
--
Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41BDABFB.E64C0A31>