per-interface packet filters [summary]
Luigi Rizzo
rizzo at icir.org
Tue Dec 14 06:31:18 PST 2004
On Tue, Dec 14, 2004 at 03:23:02PM +0100, Andre Oppermann wrote:
...
> > the struct ifnet. All i meant to say is that we want a unique
> > key, possibly in a small namespace, to quickly locate the per-if
> > private firewall info. How the key is used is not a business of
> > the rest of the kernel. But of course if it is an index in a
> > smallish array (such as ifindex) the thing is fast and clean.
>
> Ok, I'm fine with *this* approach.
>
> This can be done and handled inside ipfw_check_in|out() based on the
> interface pointer information passed in from pfil_run_hooks().
>
> Then inside IPFW it can be implemented with multiple rule chains
> although I'm not convinced this would be the smartest approach.
alternatives ?
> Wouldn't it be even better to have per-interface and global rules
> after each other? This way your problem with the general rule
> synching can be solved.
this is what gleb suggested later today, but i don't think
this solves the problem because sometimes you want the common
processing to be at the beginning, sometimes at the end of the
chain... Plus there is the issue of namespace -- when you do
'skipto 1000' is this a rule number in the global or the
private chain ? Having only *one* chain (either public or
private) solves the problem although at the price of some
extra copies of the firewall code.
cheers
luigi
More information about the freebsd-net
mailing list