per-interface packet filters
Luigi Rizzo
rizzo at icir.org
Wed Dec 15 04:15:21 PST 2004
On Wed, Dec 15, 2004 at 02:57:09PM +0300, Gleb Smirnoff wrote:
> On Wed, Dec 15, 2004 at 11:50:55AM +0100, Andre Oppermann wrote:
...
> A> Secondly the stuct ifnet would have to be extended with a pfil_head pointer
> A> for every protocol family in the system. This would be non-dynamic and
> A> would require a recompile of all drivers etc. when a protocol is added or
> A> removed. Struct ifnet is not a dynamic structure.
>
> Yes, it needs to be extended. An alternative is handling a table of
> interfaces vs chains inside firewalls. We are speaking a lot of design,
> which of above designs is better? Is it going to be easy to edit all these
> tables when an interface is destroyed? No. Would it be possible to know
> which chains/filters are used on interface via ifconfig? No. Would it be
> possible to avoid entering firewall functions when processing interfaces
> without ACLs? No.
gleb,
andre is perfectly right here.
struct ifnet should have as little protocol/module specific information
as possible.
The correct way to design things here is that each module (ipfw,
netgraph, routing, ...) which is interested to interface-specific
events (such as them being created, deleted, modified, printing the
module-specific info related to the interface, etc.) should register
a callback with ifconfig and be notified of the event, but store
the module-specific information internally.
Only in this way you can have loadable modules etc without making a mess.
If you are worried about replicating the code that does the lookup
from the interface-id to the module-specific info, this is a valid
concern but could be worked around by providing a system-wide
subsystem by which a module (e.g. a firewall) asks the system
"please attach to the interface a chunk of 544 bytes with
ID=0xff3022a0" and then can reply to requests such as
"give me the pointer to the chunk with ID=0xff3022a0 for
interface fxp12"
This logically implements an extension of ifnet,
but without all the disadvantages of adding fields for
each new protocol/module/feature.
I am not sure if the event signalling from ifconfig to the interested
parties is already there, but that is trivial anyways to set up.
Same for the module-specific if-related lookup.
cheers
luigi
More information about the freebsd-net
mailing list