per-interface packet filters, design approach

Andre Oppermann andre at freebsd.org
Wed Dec 15 05:08:40 PST 2004 

Gleb Smirnoff wrote:
> 
> On Wed, Dec 15, 2004 at 12:04:12PM +0100, Andre Oppermann wrote:
> A> > On Tue, Dec 14, 2004 at 03:03:27PM +0100, Andre Oppermann wrote:
> A> > A>  d1. The PFIL_HOOKS API has one hook per direction per protocol and
> A> > A>      passes the interface information to the firewall package.
> A> > A>  d2. Should the PFIL_HOOKS API be changed and be per interface instead
> A> > A>      of per protocol?  All firewall packages need to be modified and
> A> > A>      we are no longer compatible with the PFIL_HOOKS API.
> A> >
> A> > s/API/usage/g
> A>
> A> See my previous mail why your proposal is broken by design.
> 
> Probably many routers are broken by design, too?

I didn't say that.  I said your specific implementation approach within
the FreeBSD framework is broken by design.  There are other design approaches
that are perfectly fine within the FreeBSD framework to achieve your goals.
Unfortunatly you have refused to really consider them so far.

> A> > Andre, you are the person, who is optimizing our IP stack. Can you ask
> A> > this question, please: if the interface has no filters associated with it,
> A> > why the hell the packets running on it would enter firewall functions?
> A>
> A> Listen Gleb, first and formost I'm cleaning up network stack from years
> A> of bolt-on hackery to make it maintainable and easily understandable and
> A> extendable again.
> 
> <dirty flame>
> 
> But 4.x is more STABLE than 5.x, while it has rotten design, isn't it?

EINVAL comparison.

> Moreover some things stopped working because of better design! Now we have
> kern/71910, kern/73129, kern/73910, plus dozens of people who do not write
> PR because they see these three. But we have better design.

Yes, we have better design.  Whereas before the code was broken with respect
to correct replies from hosts doing forwarding of local IP's.  Now it does
this correctly at the expense of breaking something was possible before.
I agree that this is a POLA violation and I will commit a proper fix shortly.
Like many of us I have only so much time for FreeBSD work and having futile
disussions drains a significant portion of that as of lately.

> </dirty flame>
> 
> A> If there is a trade-off to be made between a few CPU cycles wasted with a
> A> clean and structured design versus some hackery pseudo-optimization I'm
> A> going to do the former.  This is always the more viable choice.
> 
> A> When looking at the BSD history one thing stands out:  Wherever we had a
> A> very clean, concise and documented API (for example protocol independent
> A> sockets) things started to fly.  In the network area we have the protosw
> A> structure and API which allows to add any type of network protocol very
> A> easily into the kernel.  This has allowed BSD to support many different
> A> network protocols.  Most recently IPv6.  The price to pay for the small
> A> indirection protosw has is nothing compared to the adavantages of a good
> A> and clean API design.
> A>
> A> History tells us that sticking to certain design principals pays off very
> A> well and is worth some amount of performance tradeoffs.  Feel free to ask
> A> Kirk McKusick on this lession of history.
> 
> Good. I'm trying to convince you that design of attaching filters to interfaces
> is not mad, and we should choose it, stick to it, and be happy.

I think it is commonly accepted now that per-interface firewalling is a
feature we are OK with.

What is not accepted so far is your implementation approach.  And I am trying
(as are others on this list) to convince you to rethink your approach to avoid
the PFIL_HOOKS API breakage.

> Protocol level packet filters are excellent for hosts, but not for routers.

Fine.  But depends.  I am running an ISP since 1996 and haven't found the
current FreeBSD approach of one rule chain better suited to my practical
needs so far.  Of course, if I wanted to simply take the Cisco appoach
one to one I would find it difficult.  On the other hand I do see advantages
in having per-interface rules chains in certain cases.

> You ain't say that we are building not a router platform. We are building
> a multipurpose platform, that's why I suggest protocol level and per-interface
> filters coexist.

Yea, fine.  But without changing the PFIL_HOOKS API.  Changing IPFW or any
other of our firewalls is fine as long as it is properly designed into their
environment, semantics, syntax and their principals agree on it.

-- 
Andre

More information about the freebsd-net mailing list