From owner-freebsd-hackers@FreeBSD.ORG  Mon Nov 25 18:45:12 2013
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 492F3325
 for <freebsd-hackers@freebsd.org>; Mon, 25 Nov 2013 18:45:12 +0000 (UTC)
Received: from mailb.knobbe.us (mailb.knobbe.us [66.179.102.190])
 by mx1.freebsd.org (Postfix) with SMTP id 0624E2F9B
 for <freebsd-hackers@freebsd.org>; Mon, 25 Nov 2013 18:45:11 +0000 (UTC)
Received: from localhost (HELO mail.knobbe.us)
 by localhost with SMTP; 25 Nov 2013 12:38:30 -0600
Date: Mon, 25 Nov 2013 12:38:29 -0600
From: Frank Knobbe <frank@knobbe.us>
To: freebsd-hackers <freebsd-hackers@freebsd.org>
Subject: Re: Do pfil(9) hooks receive TCP retransmissions?
Message-ID: <20131125183829.GA75749@knobbe.us>
References: <20131125181232.GB6275@kiwi.coupleofllamas.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20131125181232.GB6275@kiwi.coupleofllamas.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Nov 2013 18:45:12 -0000

On Mon, Nov 25, 2013 at 10:12:32AM -0800, R. Tyler Croy wrote:
> I'm looking at the pfil(9) interface to accomplish some packet inspection
> tasks, but the man page leaves some ambiguity in this case.
> 
> If the hooks are not invoked multiple times for retransmissions then I can
> imagine it being relatively "simple" to implement a basic firewall with these
> hooks without implementing loads of state tracking for packets.

I'm not sure if I follow. Typically you only have one function that gets
"hooked" into the pfil chain. That function will receive ALL packets leaving
or entering the system. It's up to your code to check for the interface,
apply state tracking, or whatever other checks need to be performed. For a
very basic firewall (just dropping traffic from/to a certain IP address or
a certain port or protocol) you probably don't need to track state.

If the packet passes your filter criteria and is to be passed on (down the
chain of other firewalls), your function is to return 0. If you need to
filter the packet, your function needs to a) m_freem the mbuf, and 
b) return -1. That'll drop the packet and it won't be passed on to other
firewalls in the chain or the system.

Hope that helps.

Cheers,
Frank