svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf
Bryan Drewery
bdrewery at FreeBSD.org
Thu Jan 31 23:44:36 UTC 2019
On 1/31/19 3:01 PM, Gleb Smirnoff wrote:
> Author: glebius
> Date: Thu Jan 31 23:01:03 2019
> New Revision: 343631
> URL: https://svnweb.freebsd.org/changeset/base/343631
>
> Log:
> New pfil(9) KPI together with newborn pfil API and control utility.
>
> The KPI have been reviewed and cleansed of features that were planned
> back 20 years ago and never implemented. The pfil(9) internals have
> been made opaque to protocols with only returned types and function
> declarations exposed. The KPI is made more strict, but at the same time
> more extensible, as kernel uses same command structures that userland
> ioctl uses.
>
> In nutshell [KA]PI is about declaring filtering points, declaring
> filters and linking and unlinking them together.
>
> New [KA]PI makes it possible to reconfigure pfil(9) configuration:
> change order of hooks, rehook filter from one filtering point to a
> different one, disconnect a hook on output leaving it on input only,
> prepend/append a filter to existing list of filters.
>
> Now it possible for a single packet filter to provide multiple rulesets
> that may be linked to different points. Think of per-interface ACLs in
> Cisco or Juniper. None of existing packet filters yet support that,
> however limited usage is already possible, e.g. default ruleset can
> be moved to single interface, as soon as interface would pride their
> filtering points.
>
> Another future feature is possiblity to create pfil heads, that provide
> not an mbuf pointer but just a memory pointer with length. That would
> allow filtering at very early stages of a packet lifecycle, e.g. when
> packet has just been received by a NIC and no mbuf was yet allocated.
>
> Differential Revision: https://reviews.freebsd.org/D18951
>
> Added:
> head/sbin/pfilctl/
> head/sbin/pfilctl/Makefile (contents, props changed)
> head/sbin/pfilctl/pfilctl.8 (contents, props changed)
> head/sbin/pfilctl/pfilctl.c (contents, props changed)
> Modified:
> head/ObsoleteFiles.inc
> head/sbin/Makefile
> head/share/man/man9/Makefile
> head/share/man/man9/pfil.9
> head/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
> head/sys/net/if_bridge.c
> head/sys/net/if_enc.c
> head/sys/net/if_ethersubr.c
> head/sys/net/if_var.h
> head/sys/net/pfil.c
> head/sys/net/pfil.h
> head/sys/netinet/ip_fastfwd.c
> head/sys/netinet/ip_input.c
> head/sys/netinet/ip_output.c
> head/sys/netinet/ip_var.h
> head/sys/netinet/siftr.c
> head/sys/netinet6/ip6_fastfwd.c
> head/sys/netinet6/ip6_forward.c
> head/sys/netinet6/ip6_input.c
> head/sys/netinet6/ip6_output.c
> head/sys/netinet6/ip6_var.h
> head/sys/netpfil/ipfw/ip_fw_eaction.c
> head/sys/netpfil/ipfw/ip_fw_pfil.c
> head/sys/netpfil/pf/pf_ioctl.c
This breaks the build.
https://ci.freebsd.org/job/FreeBSD-head-powerpc64-build/9220/console
> 23:28:54 cc1: warnings being treated as errors
> 23:28:54 /usr/src/sbin/pfilctl/pfilctl.c: In function 'help':
> 23:28:54 /usr/src/sbin/pfilctl/pfilctl.c:97: warning: nested extern declaration of '__progname'
> 23:28:54 --- all_subdir_lib ---
> 23:28:54 --- clog.3.gz ---
> 23:28:54 gzip -cn /usr/src/lib/msun/man/clog.3 > clog.3.gz
> 23:28:54 --- all_subdir_sbin ---
> 23:28:54 *** [pfilctl.o] Error code 1
> 23:28:54
> 23:28:54 make[4]: stopped in /usr/src/sbin/pfilctl
--
Regards,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20190131/a9e072d2/attachment.sig>
More information about the svn-src-all
mailing list