per-interface packet filters [summary]

[Kelly Yancey]

On Thu, 16 Dec 2004, Andre Oppermann wrote:

> Kelly Yancey wrote:
> >
> >   How about a generic per-interface pfil demultiplexer?  That is, a module
> > that uses the existing pfil hooks to in turn call per-interface hooks.
> > As Luigi suggested earlier, it would be possible to use the interface
> > index to index an array private to the multiplexer's implementation.
> > If each element in this array had its own pfil_head, then the demultiplexer
> > could then call pfil_run_hooks() using that list.  This would allow you
> > to have your per-interface hooks in a generic way without changing a line
> > of existing code.  It could be entirely encapsulated in kld.  Provided an
> > API to manipulate the per-interface pfil registration, you could even run
> > different filters on different interfaces.
> >   You'de even have a chance of back-porting it to FreeBSD 5.x since you
> > won't be changing the ifnet structure at all.
>
> You'd have to change all firewall packages too.  Currently they are not
> aware of and can't deal with multiple rule chain heads.  The is the
> second main problem of Gleb implementation proposal so far.
>
> Nothing prevents generic routines to have the demultiplexer you describe
> but it's use and handling has to be inside each firewall package.
>

  Absolutely.  You could only use such a demultiplexer to select which
interfaces filters would apply to.  The issue of implementing different
behavior depending on the interface (e.g. a firewall implementing
per-interface rulesets) is necessarily a matter for the filter not the
framework.
  That said, since we have 3 firewall implementations, you could use the
demultiplexer to have 3 different sets of rules, each applied to a different
subset of the interfaces. :)

  Kelly

--
Kelly Yancey  -  kbyanc@{posi.net,FreeBSD.org}  -  kelly at nttmcl.com
"An enlightened people, and an energetic public opinion... will control and
 enchain the aristocratic spirit of the government." --Thomas Jefferson