Date: Mon, 13 Dec 2004 10:11:25 -0800 From: Julian Elischer <julian@elischer.org> To: Gleb Smirnoff <glebius@freebsd.org> Cc: net@freebsd.org Subject: Re: per-interface packet filters Message-ID: <41BDDB4D.2050201@elischer.org> In-Reply-To: <20041213124051.GB32719@cell.sick.ru> References: <20041213124051.GB32719@cell.sick.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Gleb Smirnoff wrote:
> Dear networkers,
>
> I finally managed to pronounce my idea, although I'm afraid
>of a bikeshed it is going to be burried under.
>
>When managing a complex router with many interfaces the output
>of `ipfw show` (or ipf/pf analog) is getting long and difficult to
>understand. It is also important that many packets are checked
>against the rules that can never be applied to them, wasting CPU
>cycles.
>
>A simple example can be local network router with many inner interfaces
>and with one interface to internet. Actually filtering is desired
>only in external interface, and there is no need for local traffic
>to enter packet fitlering routines, e.g. ipfw_chk().
>
>I'd like to implement per-interface pfil hooks, like in Cisco
>world. Each interface may have 'in' list of rules, 'out' list
>of rules. Current global ip_{input,output}, filters may coexist
>with per-interface ones, but can be turned off.
>
>Our PFIL interface is quite ready for this, and this is very nice.
>I'll start with creating/editing alternative chains in ipfw. Then
>we will need to add possibility to register per-interface hooks
>in pfil, and add possibility to pass one more optional argument
>from pfil to the filter itself.
>
>I'm glad to see any constructive comments on plan.
>
>
I do this now with the current ipfw unchanged..
my rules always start with something like:
add 100 skipto 1000 ip from any to any in recv fxp0
add 101 skipto 2000 ip from any to any out xmit fxp0
add 110 skipto 3000 ip from any to any in recv fxp1
add 111 skipto 4000 ip from any to any out xmit fxp1
add 120 skipto 5000 ip from any to any in recv fxp2
add 121 skipto 6000 ip from any to any out xmit fxp2
This allows me to have a dedicated set of rules for each logical flow.
Sometimes I even go one step further and define subsections for
"out recv fxp0 xmit fxp1" and "from any to me in recv fxp1" .. etc
I also sometimes break the rules up further with
(for each interface set.)
add 1000 skipto 1100 tcp from any to any
add 2000 skipto 2100 tcp from any to any
Then at 1050 ans 2050 I have processing for things like UDP and icmp.
The aim is to minimise the running of unneeded rules, as you said.
It is actually faster than just that because the rules in each
section never need to test the interface or direction.
I think this should be in an ipfw "howto".
I'm not sayig we should n't do what you are saying but that it is
already possible to do very similar things.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41BDDB4D.2050201>