Date: Wed, 18 Dec 2019 07:09:45 -0800 From: Cy Schubert <Cy.Schubert@cschubert.com> To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf Message-ID: <AC59331B-1C37-4440-A22D-2CF86B317810@cschubert.com> In-Reply-To: <f88b296e-d03a-8c43-3202-6ece60974b10@yandex.ru> References: <201901312301.x0VN13lM097213@repo.freebsd.org> <f88b296e-d03a-8c43-3202-6ece60974b10@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On December 18, 2019 4:27:58 AM PST, "Andrey V=2E Elsukov" <bu7cher@yandex= =2Eru> wrote: >On 01=2E02=2E2019 02:01, Gleb Smirnoff wrote: >> Author: glebius >> Date: Thu Jan 31 23:01:03 2019 >> New Revision: 343631 >> URL: https://svnweb=2Efreebsd=2Eorg/changeset/base/343631 >>=20 >> Log: >> New pfil(9) KPI together with newborn pfil API and control utility=2E >> =20 >> The KPI have been reviewed and cleansed of features that were >planned >> back 20 years ago and never implemented=2E The pfil(9) internals >have >> been made opaque to protocols with only returned types and function >> declarations exposed=2E The KPI is made more strict, but at the same >time >> more extensible, as kernel uses same command structures that >userland >> ioctl uses=2E >> =20 >> In nutshell [KA]PI is about declaring filtering points, declaring >> filters and linking and unlinking them together=2E >> =20 >> New [KA]PI makes it possible to reconfigure pfil(9) configuration: >> change order of hooks, rehook filter from one filtering point to a >> different one, disconnect a hook on output leaving it on input >only, >> prepend/append a filter to existing list of filters=2E >> =20 >> Now it possible for a single packet filter to provide multiple >rulesets >> that may be linked to different points=2E Think of per-interface ACLs >in >> Cisco or Juniper=2E None of existing packet filters yet support that, >> however limited usage is already possible, e=2Eg=2E default ruleset c= an >> be moved to single interface, as soon as interface would pride >their >> filtering points=2E >> =20 >> Another future feature is possiblity to create pfil heads, that >provide >> not an mbuf pointer but just a memory pointer with length=2E That >would >> allow filtering at very early stages of a packet lifecycle, e=2Eg=2E >when >> packet has just been received by a NIC and no mbuf was yet >allocated=2E >It seems that this commit has changed the error code returned from >ip[6]_output() when a packet is blocked=2E Previously it was EACCES, but >now it became EPERM=2E Was it intentional? EPERM, operation not permitted regardless of privilege, is more appropriat= e=2E=20 --=20 Pardon the typos and autocorrect, small keyboard in use=2E=20 Cy Schubert <Cy=2ESchubert@cschubert=2Ecom> FreeBSD UNIX: <cy@FreeBSD=2Eorg> Web: https://www=2EFreeBSD=2Eorg The need of the many outweighs the greed of the few=2E Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AC59331B-1C37-4440-A22D-2CF86B317810>