Date: Tue, 14 Dec 2004 16:32:51 +0100 From: Andre Oppermann <andre@freebsd.org> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters [summary] Message-ID: <41BF07A3.8F1F505E@freebsd.org> References: <20041213124051.GB32719@cell.sick.ru> <20041214015603.A75019@xorpc.icir.org> <20041214060341.A77720@xorpc.icir.org> <41BEF746.E8362858@freebsd.org> <20041214063118.B77933@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > > On Tue, Dec 14, 2004 at 03:23:02PM +0100, Andre Oppermann wrote: > ... > > > the struct ifnet. All i meant to say is that we want a unique > > > key, possibly in a small namespace, to quickly locate the per-if > > > private firewall info. How the key is used is not a business of > > > the rest of the kernel. But of course if it is an index in a > > > smallish array (such as ifindex) the thing is fast and clean. > > > > Ok, I'm fine with *this* approach. > > > > This can be done and handled inside ipfw_check_in|out() based on the > > interface pointer information passed in from pfil_run_hooks(). > > > > Then inside IPFW it can be implemented with multiple rule chains > > although I'm not convinced this would be the smartest approach. > > alternatives ? See below. > > Wouldn't it be even better to have per-interface and global rules > > after each other? This way your problem with the general rule > > synching can be solved. > > this is what gleb suggested later today, but i don't think > this solves the problem because sometimes you want the common > processing to be at the beginning, sometimes at the end of the > chain... Plus there is the issue of namespace -- when you do > 'skipto 1000' is this a rule number in the global or the > private chain ? Having only *one* chain (either public or > private) solves the problem although at the price of some > extra copies of the firewall code. I've got something in mind marrying the global/interface approach based on my experience of managing large Cisco per-interface ACL's (which is a royal pain to get right). The big problem of the per- interface approach is the protection of the host itself (control plane in Cisco speak). They have fixed it in newest IOS with so called infrastructure ACL's but that is making life only a little better. Give a bit time to work out the idea some more. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41BF07A3.8F1F505E>