per-interface packet filters

Vladimir Grebenschikov vova at fbsd.ru
Tue Dec 14 08:42:40 PST 2004 

В вт, 14/12/2004 в 17:13 +0100, Andre Oppermann пишет:
 
> > Yes, but is about "how netgraph interfere with ipfw" sometimes, netgraph
> > filtering has nothing common with host filtering.
> 
> Nontheless you need to call it from somewhere?


Yes, If, for example, I do connection of two VPNs without accessiong
them into host packet flow and want to firewall something inside.

> > > > 2. Plug firewall on any specific interface
> > > > 3. Plug firewall on any network packet processing input/output (current)
> > > > 4. Plug it into bridging code
> > >
> > > How do you represent this complexity in syntax and semantics?
> > 
> > First what jump into my mind:
> > 
> > flows management:
> > ipfw flow add $customer1 iface fxp0
> > ipfw flow del $customer2 iface fxp0
> > ipfw flow set $customer1 iface fxp1
> > ipfw flow default $extrenal
> > ipfw flow list
> > 
> > changes rules for flow
> > ipfw flow use $customer1 add ip from any to any
> > ...
> 
> Ok, this is a start.  Now we are getting somewhere.
> 
> A "flow" would be what Gleb calls a "chain"?

Yes, exactly, just read Gleb's message.

> > or as variant
> > ipfw -F $customer1 add ip from any to any
> > ...
> > 
> > I think there can be better interface if think a bit about it.
> 
> Great.  Please do so.

Probably better way to do
 
ipfw flow set $custome1 add iface fxp0 del iface fxp1 ... etc
for attaching multiple interfaces to single flow (or chain, does not
matter)

also 

ipfw flow add $dummy   - to add not connected flow
and
ipfw flow default $dummy to make this flow system-default (instead of
old)


> > > This is the tricky problem to be solved first.  Then we can start arguing
> > > about implementation issues, API's, ABI's and other related things.
> > 
> > Again, Gleb do not going to change API or ABI.
> 
> Again, he does.  In a major way.

Ok, I do not want to deep into details until I'll look code, but I guess
it is possible to extend PFIL_HOOKS API without harming existing
applications.

> > > So give me syntax and semantics examples how you want to operate this
> > > functionality?
> > 
> > see above
> > 
> > > We do not dispute the need for per-interface rules.
> > 
> > Ok, so we agree that it is good idea ?
> 
> Yes.  If it is smartly done it can help a lot.  If not well done it
> can wrek havrok.
> 
-- 
Vladimir B. Grebenchikov
vova at fbsd.ru

More information about the freebsd-net mailing list