Date: Tue, 14 Dec 2004 07:01:49 -0800 From: Bruce M Simpson <bms@spc.org> To: Andre Oppermann <andre@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters, design approach Message-ID: <20041214150148.GC684@empiric.icir.org> In-Reply-To: <41BEF670.95C30ED5@freebsd.org> References: <41BEF2AF.470F9079@freebsd.org> <20041214141307.GA684@empiric.icir.org> <41BEF670.95C30ED5@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--zCKi3GIZzVBPywwA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, At this point I'm tempted to explicitly *not* roll support for IPFW1 in XORP's ACL manager precisely because of its limitations; see below. On Tue, Dec 14, 2004 at 03:19:28PM +0100, Andre Oppermann wrote: > IPFW2 does have this functionality. It's called "sets" of rules which > you can atomically swap, enable, disable, flush and intermix with each > other. It's there, read ipfw(8), it's on the 15th line. OK. This is probably something I can deal with. Basically XORP has an intermediate rule representation which tries to be generic enough to deal with divergent packet filter implementations across various OS platforms, and yet specific enough to be useful. A XORP rule tuple looks like this: ifname, vifname, src, dst, proto, sport, dport, action Rule matches take place on all fields but the 'action' part of the tuple. The interface to XORP's packet ACL manager is transaction driven to ensure atomicity. Where this atomicity can't be guaranteed by the underlying back-end, the back-end should attempt to mimic it using whatever tricks are necessary. Snapshots get taken at two levels: XORP's intermediate representation described above, and the back-end's state. These snapshots can be taken either for the purpose of safely rolling back state when rulesets are being changed, or for communicating rulesets between different parts of the packet ACL system. I would imagine that mapping between an IPFW2 'set' and a PaIpfwBackend snapshot on the fly would do the trick. I just committed the core of XORP's ACL manager last week, please feel free to have a look at it and give me feedback. Regards, BMS --zCKi3GIZzVBPywwA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQFBvwBcueUpAYYNtTsRAvh1AJ9R1OXVfLBta/M/D5PgimE9MW3/UwCfW+uS KYTGji5nwSljAEt20h+U6IY= =VUpk -----END PGP SIGNATURE----- --zCKi3GIZzVBPywwA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041214150148.GC684>