Re: per-interface packet filters

From: Andre Oppermann (andre_at_freebsd.org)
Date: 12/13/04

  • Next message: Max Laier: "Re: per-interface packet filters" 
    Date: Mon, 13 Dec 2004 15:49:31 +0100
To: Gleb Smirnoff <glebius@freebsd.org>

    Gleb Smirnoff wrote:
    >
    > Dear networkers,
    >
    > I finally managed to pronounce my idea, although I'm afraid
    > of a bikeshed it is going to be burried under.
    >
    > When managing a complex router with many interfaces the output
    > of `ipfw show` (or ipf/pf analog) is getting long and difficult to
    > understand. It is also important that many packets are checked
    > against the rules that can never be applied to them, wasting CPU
    > cycles.
    >
    > A simple example can be local network router with many inner interfaces
    > and with one interface to internet. Actually filtering is desired
    > only in external interface, and there is no need for local traffic
    > to enter packet fitlering routines, e.g. ipfw_chk().

    Then you argument about long ipfw show doesn't hold... ;)

    > I'd like to implement per-interface pfil hooks, like in Cisco
    > world. Each interface may have 'in' list of rules, 'out' list
    > of rules. Current global ip_{input,output}, filters may coexist
    > with per-interface ones, but can be turned off.

    Different worlds. I wonder why everything has to "like Cisco". It's
    not always the most clever way they solve a given problem.

    > Our PFIL interface is quite ready for this, and this is very nice.

    I don't see any changes to pfil for this. Pfil already passes the
    interface in the argument call. This is something for the packet
    filters (ipfw/pf/ipf) than the pfil API?

    > I'll start with creating/editing alternative chains in ipfw. Then
    > we will need to add possibility to register per-interface hooks
    > in pfil, and add possibility to pass one more optional argument
    > from pfil to the filter itself.

    Can you provide example how you think the syntax should be?

    > I'm glad to see any constructive comments on plan.

    You have to be careful not to collide with the "in|out|via" inside
    the rules. 

    -- 
Andre
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
  • Next message: Max Laier: "Re: per-interface packet filters"

    Relevant Pages

    • Re: per-interface packet filters
      ... rule, it helps to reduce CPU consumption, but makes 'ipfw show' ... A>> and with one interface to internet. ... A>> Our PFIL interface is quite ready for this, ... A> filters than the pfil API? ...
      (freebsd-net)
    • per-interface packet filters
      ... Dear networkers, ... When managing a complex router with many interfaces the output ... and with one interface to internet. ... Our PFIL interface is quite ready for this, ...
      (freebsd-net)
    • Re: Email clients
      ... presumably this isn't a bug in Mail after all. ... but filters not that good (why don't they just license dspam or some ... totally sufficient, and the interface to them is very, very good). ... plugins are basically hacks against a "private" ...
      (uk.comp.sys.mac)
    • Re: Time and place in the breakout novel
      ... But I don't think the reader needs to have any understanding of how the chips ... The alien computer mind is different, so filters ... to become 'one with the Borg' again, so the interface was enhanced to overcome ...
      (rec.arts.sf.composition)
    • Re: Feedback on new format
      ... filters, the poor editing capabilities, and being limited to only part ... for the specific purpose of rating my own posts, ... OTOH, for the occasional user, I see a big advantage in the notification ... > such as yourself will use the interface every once in a while to rate and ...
      (microsoft.public.excel.misc)