Date: Mon, 25 Nov 2013 12:38:29 -0600 From: Frank Knobbe <frank@knobbe.us> To: freebsd-hackers <freebsd-hackers@freebsd.org> Subject: Re: Do pfil(9) hooks receive TCP retransmissions? Message-ID: <20131125183829.GA75749@knobbe.us> In-Reply-To: <20131125181232.GB6275@kiwi.coupleofllamas.com> References: <20131125181232.GB6275@kiwi.coupleofllamas.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 25, 2013 at 10:12:32AM -0800, R. Tyler Croy wrote: > I'm looking at the pfil(9) interface to accomplish some packet inspection > tasks, but the man page leaves some ambiguity in this case. > > If the hooks are not invoked multiple times for retransmissions then I can > imagine it being relatively "simple" to implement a basic firewall with these > hooks without implementing loads of state tracking for packets. I'm not sure if I follow. Typically you only have one function that gets "hooked" into the pfil chain. That function will receive ALL packets leaving or entering the system. It's up to your code to check for the interface, apply state tracking, or whatever other checks need to be performed. For a very basic firewall (just dropping traffic from/to a certain IP address or a certain port or protocol) you probably don't need to track state. If the packet passes your filter criteria and is to be passed on (down the chain of other firewalls), your function is to return 0. If you need to filter the packet, your function needs to a) m_freem the mbuf, and b) return -1. That'll drop the packet and it won't be passed on to other firewalls in the chain or the system. Hope that helps. Cheers, Frank
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20131125183829.GA75749>