Date: Sat, 19 Feb 2000 23:01:26 +1100 (Australia/NSW) From: Darren Reed <avalon@coombs.anu.edu.au> To: luigi@info.iet.unipi.it (Luigi Rizzo) Cc: hackers@FreeBSD.ORG Subject: Re: post 4.0...adoption of pfil(9) from NetBSD ? Message-ID: <200002191201.XAA01927@cairo.anu.edu.au> In-Reply-To: <200002191046.LAA84458@info.iet.unipi.it> from "Luigi Rizzo" at Feb 19, 2000 11:46:41 AM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Luigi Rizzo, sie said:
>
> > I was just having a quick peek at how ipfw works in FreeBSD-4 for IPv6,
> > to see what's required for IP-Filter (hoping for a clean interface)
> > and the response is "sigh". The old ipfw mechanism needs to be
> > abandoned, IMHO.
>
> can you comment a bit more ? I am a bit unclear on what
> exactly is thay you don't find appropriate in ipfw etc.
The problem is that the in kernel support for ipfw/ipfilter is
*specific* to each. There is no mechanism for 3rd party people
to add their own without making the same ugly hacks as already
exists unless they choose to use the ipfw/ipfilter hook instead.
i.e. each time we want to filter a new protocol we need to hack
the various functions for a filter specific hook rather than
using a generic filter/calling mechanism.
> If you have an URL for a pfil(9) manpage i would appreciate it.
See below for man page from 1.4.
> Some comments:
>
> The issue of one vs. multiple lists (per direction, interface,
> protocol, you name it) has been discussed some time ago. For sure
> multiple lists are a (minor, given that we can start the ipfw lists
> with a few of "skipto") performance improvement over a single one,
> at the possible price of having some duplication in writing filters
> and even defining how many lists are appropriate.
To me, this outlines how bad the current system for ipfw support
has become. Need something ? Just hack the appropriate part of
the kernel. There's no real design in the infrastructure for
ipfw. Sort of what Linux was like before they redesigned their
firewalling, etc, interfaces using netfilter.
I must point out that whilst pfil(9) as found in NetBSD does not
provide enough support for the various FreeBSDisms to be put in
as it is, I think it can be expanded upon, whilst still supporting
the same interface, to meet FreeBSD's needs.
Darren
PFIL(9) NetBSD Kernel Manual PFIL(9)
NAME
pfil, pfil_hook_get, pfil_add_hook, pfil_remove_hook - packet filter in-
terface
SYNOPSIS
#include <sys/param.h>
#include <sys/mbuf.h>
#include <net/if.h>
#include <net/pfil.h>
struct packet_filter_hook *
pfil_hook_get(int);
void
pfil_add_hook(int (*func)(), int flags);
void
pfil_remove_hook(int (*func)(), int flags);
DESCRIPTION
The pfil interface allows a function to be called on every incoming or
outgoing packets. The hooks for these are embedded in the ip_input() and
ip_output() routines. The pfil_hook_get() function returns the first
member of a particular hook, either the in or out list. The
pfil_add_hook() function takes a function of the form below as it's first
argument, and the flags for which lists to add the function to. The pos-
sible values for these flags are some combination of PFIL_IN and
PFIL_OUT. The pfil_remove_hook() removes a hook from the specified
lists.
The func argument is a function with the following prototype.
func(void *data, int hlen, struct ifnet *net, int dir, struct mbuf **m)
The data describes the packet. Currently, this may only be a pointer to
a ip structure. The net and m arguments describe the network interface
and the mbuf holding data for this packet. The dir is the direction; 0
for incoming packets and 1 for outgoing packets. if the function returns
non-zero, this signals an error and no further processing of this packet
is performed. The function should set errno to indicate the nature of
the error. It is the hook's responsibiliy to free the chain if the pack-
et is being dropped.
The pfil interface is enabled in the kernel via the PFIL_HOOKS option.
RETURN VALUES
If successful pfil_hook_get() returns the first member of the packet fil-
ter list, pfil_add_hook() and pfil_remove_hook() are expected to always
succeed.
HISTORY
The pfil interface first appeared in NetBSD 1.3. The pfil input and out-
put lists were originally implemented as <sys/queue.h>
LIST structures; however this was changed in NetBSD 1.4 to TAILQ struc-
tures. This change was to allow the input and output filters to be pro-
cessed in reverse order, to allow the same path to be taken, in or out of
the kernel.
BUGS
The current pfil implementation will need changes to suit a threaded ker-
nel model.
SEE ALSO
bpf(4)
NetBSD 1.4 August 4, 1996 1
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002191201.XAA01927>