Re: per-interface packet filters [summary]
From: Kelly Yancey (kbyanc_at_posi.net)
Date: 12/16/04
- Previous message: Andre Oppermann: "Re: per-interface packet filters [summary]"
- In reply to: Andre Oppermann: "Re: per-interface packet filters [summary]"
- Next in thread: Luigi Rizzo: "Re: per-interface packet filters [summary]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 15 Dec 2004 16:36:12 -0800 (PST) To: Andre Oppermann <andre@freebsd.org>
On Thu, 16 Dec 2004, Andre Oppermann wrote:
> Kelly Yancey wrote:
> >
> > How about a generic per-interface pfil demultiplexer? That is, a module
> > that uses the existing pfil hooks to in turn call per-interface hooks.
> > As Luigi suggested earlier, it would be possible to use the interface
> > index to index an array private to the multiplexer's implementation.
> > If each element in this array had its own pfil_head, then the demultiplexer
> > could then call pfil_run_hooks() using that list. This would allow you
> > to have your per-interface hooks in a generic way without changing a line
> > of existing code. It could be entirely encapsulated in kld. Provided an
> > API to manipulate the per-interface pfil registration, you could even run
> > different filters on different interfaces.
> > You'de even have a chance of back-porting it to FreeBSD 5.x since you
> > won't be changing the ifnet structure at all.
>
> You'd have to change all firewall packages too. Currently they are not
> aware of and can't deal with multiple rule chain heads. The is the
> second main problem of Gleb implementation proposal so far.
>
> Nothing prevents generic routines to have the demultiplexer you describe
> but it's use and handling has to be inside each firewall package.
>
Absolutely. You could only use such a demultiplexer to select which
interfaces filters would apply to. The issue of implementing different
behavior depending on the interface (e.g. a firewall implementing
per-interface rulesets) is necessarily a matter for the filter not the
framework.
That said, since we have 3 firewall implementations, you could use the
demultiplexer to have 3 different sets of rules, each applied to a different
subset of the interfaces. :)
Kelly
--
Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com
"An enlightened people, and an energetic public opinion... will control and
enchain the aristocratic spirit of the government." --Thomas Jefferson
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Andre Oppermann: "Re: per-interface packet filters [summary]"
- In reply to: Andre Oppermann: "Re: per-interface packet filters [summary]"
- Next in thread: Luigi Rizzo: "Re: per-interface packet filters [summary]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
