[patch] gsoc project: improving layer2 filtering

Mon Sep 8 20:13:37 UTC 2008

On Monday 08 September 2008 21:30:21 Gleb Kurtsou wrote:
> [Max Laier and Brooks Davis CCed as suggested by Andrew Thompson]
>
> This summer I was working on improving layer2 filtering (my mentor is
> Andrew Thompson) as a google summer of code project.  The project was
> successfully completed.

Wow!  That's one large diff ... unfortunately I don't have much time right 
now.  I'll try to look at the pf changes one of these days, but please re-ping 
if I don't get to it in a timely manner.  For the moment all I can say is that 
your work is very appreciated and that - from a quick glance - it looks like 
this could be ready(-ish) for inclusion.  In any case we should get the 
releases out the door before dropping this in current.

Again, thanks for your work ... I'll look at it as I find time.

> I'd like to ask for a public review of the patch attached.
> To apply patch (against -CURRENT):
> cd /usr/src; patch -p0 < gk_l2filter.patch
>
> Note, that the patch is not so clean: style(9) issues, stale comments,
> some inaccurate variable names, etc. But is should be just fine for a
> general review.  I'd like to continue working further to improve it, if
> community is interested and if there is possibility for it to get
> commited.  I would appreciate any comments and suggestions.
>
> Some additional details and examples of new functionality can be found on
> my blog: http://blogs.freebsdish.org/gleb/
>
> Project's perforce repository:
> http://perforce.freebsd.org/changeList.cgi?CMD=changes&FSPC=//depot/project
>s/soc2008/gk%5fl2filter/...
>
> To sum it up, following project goals were achieved (old todo list):
>
> general:
>     * Implement pfil hooks for filtering ethernet packets
>     * Add mtag containing source and destination layer2 addresses to
>       every mbuf
>     * Add per interface flags: l2filter, l2tag
>
> ipfw:
>     * Update ipfw layer2 not to touch ip headers, but to use mentioned
>       mtags to do MAC-IP filtering
>     * Add src-ether and dst-ether ipfw options
>     * Support mac addresses in ipfw lookup tables
>     * Stateful filtering by mac addresses
>     * Implement ARP filtering options
>     * Update documentation
>
> pf:
>     * Add stateful filtering against mac addresses. Make it part of
>       present layer3 stateful filtering.
>     * Extend pf's tables facility to contain layer2 address apart with
>       layer3 address.
>     * Support in userspace (pf.conf, pfctl).
>     * Update documentation

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News