[patch] gsoc project: improving layer2 filtering
    Ermal Luçi 
    ermal.luci at gmail.com
       
    Tue Sep  9 15:39:09 UTC 2008
    
    
  
On Mon, Sep 8, 2008 at 9:30 PM, Gleb Kurtsou <gleb.kurtsou at gmail.com> wrote:
> [Max Laier and Brooks Davis CCed as suggested by Andrew Thompson]
>
> This summer I was working on improving layer2 filtering (my mentor is
> Andrew Thompson) as a google summer of code project.  The project was
> successfully completed.
>
> I'd like to ask for a public review of the patch attached.
> To apply patch (against -CURRENT):
> cd /usr/src; patch -p0 < gk_l2filter.patch
>
> Note, that the patch is not so clean: style(9) issues, stale comments,
> some inaccurate variable names, etc. But is should be just fine for a
> general review.  I'd like to continue working further to improve it, if
> community is interested and if there is possibility for it to get
> commited.  I would appreciate any comments and suggestions.
>
> Some additional details and examples of new functionality can be found on
> my blog: http://blogs.freebsdish.org/gleb/
>
> Project's perforce repository: http://perforce.freebsd.org/changeList.cgi?CMD=changes&FSPC=//depot/projects/soc2008/gk%5fl2filter/...
>
> To sum it up, following project goals were achieved (old todo list):
>
> general:
>    * Implement pfil hooks for filtering ethernet packets
>    * Add mtag containing source and destination layer2 addresses to
>      every mbuf
>    * Add per interface flags: l2filter, l2tag
>
> ipfw:
>    * Update ipfw layer2 not to touch ip headers, but to use mentioned
>      mtags to do MAC-IP filtering
>    * Add src-ether and dst-ether ipfw options
>    * Support mac addresses in ipfw lookup tables
>    * Stateful filtering by mac addresses
>    * Implement ARP filtering options
>    * Update documentation
>
> pf:
>    * Add stateful filtering against mac addresses. Make it part of
>      present layer3 stateful filtering.
>    * Extend pf's tables facility to contain layer2 address apart with
>      layer3 address.
>    * Support in userspace (pf.conf, pfctl).
>    * Update documentation
>
Have you done any measurment on the overhead of this?
Adding tags to every packet passing might buy some overhead taking in
consideration that pf(4) already does this means double overhead for
each packet is it worth unifying this tags for filter case?!
How about adding to the tags even some other parameters like vlan or
COS value when present so one can do some tricks on vlan case or at
least shape on COS value?
Otherwise path seems ok at first glance and am going to try out soon.
-- 
Ermal
    
    
More information about the freebsd-net
mailing list