per-interface packet filters
Gleb Smirnoff
glebius at freebsd.org
Wed Dec 15 00:18:21 PST 2004
On Tue, Dec 14, 2004 at 04:02:37PM +0100, Andre Oppermann wrote:
A> > ÷ ??, 14/12/2004 ? 13:54 +0100, Andre Oppermann ?????:
A> > > It's about HOW to implement it. I think the ways proposed so far are
A> > > hackish, too complex and outside of our framework which was very well
A> > > designed and allows this kind of feature without any of the hacks and
A> > > extentions discussed here.
A> > >
A> > > We have to properly DESIGN these feature instead of just hacking them
A> > > in.
A> >
A> > Well, I agree, that it is about how to design it.
A> > But I do not think that proposed solution is hackish, and I not alone
A> > with it.
A>
A> It breaks the PFIL_HOOKS API.
None of prototypes in pfil.h are changed. Where is API breakage? You call
"API breakage" the fact that I'm going to *use* this API not the way you
use it.
A> > Let's imagine our firewall framework as general firewall, able to be
A> > plugged on different layers, after that you can get following:
A> >
A> > 1. Plug firewall (dedicated chain) between netgraph nodes
A>
A> [Doesn't work before and after PFIL_HOOKS API breakage. You'd need a
A> ipfw netgraph node for that anyway.]
Yes, that would be a node holging pfil_head and registering filters on it.
A> > 2. Plug firewall on any specific interface
A> > 3. Plug firewall on any network packet processing input/output (current)
A> > 4. Plug it into bridging code
A>
A> How do you represent this complexity in syntax and semantics?
Haven't I described in one of yesterdays emails?
A> With cloned devices you have a problem anyway. Who puts the correct
A> ipfw chain head pointer into struct ifnet in your example? devd perhaps?
A>
A> Please enlighten me.
Sorry, but the short answer is "same was as in Cisco|Juniper world". The longer
description is:
The cloner will. If this was sysadmin with ifconfig in his hands, then he
will attach chains to interface. The same was you do it "config term" mode.
If that was an interface auto created by ppp/mpd/etc, than the soft will do
attach chains according to its config file, the same way as you have
interface templates in router-world.
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
More information about the freebsd-net
mailing list