From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 20:13:37 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 988B61065687 for ; Mon, 8 Sep 2008 20:13:37 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id 2DDC38FC1E for ; Mon, 8 Sep 2008 20:13:36 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-064-189-243.pools.arcor-ip.net [88.64.189.243]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1Kcn792RSi-0002cq; Mon, 08 Sep 2008 22:13:35 +0200 Received: (qmail 31529 invoked from network); 8 Sep 2008 20:13:35 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by laiers.local with SMTP; 8 Sep 2008 20:13:35 -0000 From: Max Laier Organization: FreeBSD To: freebsd-net@freebsd.org, Brooks Davis Date: Mon, 8 Sep 2008 22:13:34 +0200 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: <20080908193020.GA37900@rybacik> In-Reply-To: <20080908193020.GA37900@rybacik> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809082213.34703.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/jiAwrCYQRZaLoiT6i7EZGi7h3srjRHKpktki 2EPW/2/w4fuKu6rURnQ2+xpelVTZDw4rBOKane3Au4XU7YRclG 5pJw4lJxVDJ+bJqsxyWAg== Cc: Gleb Kurtsou , Andrew Thompson Subject: Re: [patch] gsoc project: improving layer2 filtering X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 20:13:37 -0000 On Monday 08 September 2008 21:30:21 Gleb Kurtsou wrote: > [Max Laier and Brooks Davis CCed as suggested by Andrew Thompson] > > This summer I was working on improving layer2 filtering (my mentor is > Andrew Thompson) as a google summer of code project. The project was > successfully completed. Wow! That's one large diff ... unfortunately I don't have much time right now. I'll try to look at the pf changes one of these days, but please re-ping if I don't get to it in a timely manner. For the moment all I can say is that your work is very appreciated and that - from a quick glance - it looks like this could be ready(-ish) for inclusion. In any case we should get the releases out the door before dropping this in current. Again, thanks for your work ... I'll look at it as I find time. > I'd like to ask for a public review of the patch attached. > To apply patch (against -CURRENT): > cd /usr/src; patch -p0 < gk_l2filter.patch > > Note, that the patch is not so clean: style(9) issues, stale comments, > some inaccurate variable names, etc. But is should be just fine for a > general review. I'd like to continue working further to improve it, if > community is interested and if there is possibility for it to get > commited. I would appreciate any comments and suggestions. > > Some additional details and examples of new functionality can be found on > my blog: http://blogs.freebsdish.org/gleb/ > > Project's perforce repository: > http://perforce.freebsd.org/changeList.cgi?CMD=changes&FSPC=//depot/project >s/soc2008/gk%5fl2filter/... > > To sum it up, following project goals were achieved (old todo list): > > general: > * Implement pfil hooks for filtering ethernet packets > * Add mtag containing source and destination layer2 addresses to > every mbuf > * Add per interface flags: l2filter, l2tag > > ipfw: > * Update ipfw layer2 not to touch ip headers, but to use mentioned > mtags to do MAC-IP filtering > * Add src-ether and dst-ether ipfw options > * Support mac addresses in ipfw lookup tables > * Stateful filtering by mac addresses > * Implement ARP filtering options > * Update documentation > > pf: > * Add stateful filtering against mac addresses. Make it part of > present layer3 stateful filtering. > * Extend pf's tables facility to contain layer2 address apart with > layer3 address. > * Support in userspace (pf.conf, pfctl). > * Update documentation -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News