From owner-freebsd-net@FreeBSD.ORG Tue Dec 14 15:01:56 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B98A16A4CE; Tue, 14 Dec 2004 15:01:56 +0000 (GMT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21B8C43D45; Tue, 14 Dec 2004 15:01:54 +0000 (GMT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 38494653FF; Tue, 14 Dec 2004 15:01:53 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 15433-02-8; Tue, 14 Dec 2004 15:01:52 +0000 (GMT) Received: from empiric.dek.spc.org (dhcp120.icir.org [192.150.187.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 5E85A65211; Tue, 14 Dec 2004 15:01:50 +0000 (GMT) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id 0A1666710; Tue, 14 Dec 2004 07:01:49 -0800 (PST) Date: Tue, 14 Dec 2004 07:01:49 -0800 From: Bruce M Simpson To: Andre Oppermann Message-ID: <20041214150148.GC684@empiric.icir.org> Mail-Followup-To: Andre Oppermann , freebsd-net@freebsd.org References: <41BEF2AF.470F9079@freebsd.org> <20041214141307.GA684@empiric.icir.org> <41BEF670.95C30ED5@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zCKi3GIZzVBPywwA" Content-Disposition: inline In-Reply-To: <41BEF670.95C30ED5@freebsd.org> cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters, design approach X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 15:01:56 -0000 --zCKi3GIZzVBPywwA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, At this point I'm tempted to explicitly *not* roll support for IPFW1 in XORP's ACL manager precisely because of its limitations; see below. On Tue, Dec 14, 2004 at 03:19:28PM +0100, Andre Oppermann wrote: > IPFW2 does have this functionality. It's called "sets" of rules which > you can atomically swap, enable, disable, flush and intermix with each > other. It's there, read ipfw(8), it's on the 15th line. OK. This is probably something I can deal with. Basically XORP has an intermediate rule representation which tries to be generic enough to deal with divergent packet filter implementations across various OS platforms, and yet specific enough to be useful. A XORP rule tuple looks like this: ifname, vifname, src, dst, proto, sport, dport, action Rule matches take place on all fields but the 'action' part of the tuple. The interface to XORP's packet ACL manager is transaction driven to ensure atomicity. Where this atomicity can't be guaranteed by the underlying back-end, the back-end should attempt to mimic it using whatever tricks are necessary. Snapshots get taken at two levels: XORP's intermediate representation described above, and the back-end's state. These snapshots can be taken either for the purpose of safely rolling back state when rulesets are being changed, or for communicating rulesets between different parts of the packet ACL system. I would imagine that mapping between an IPFW2 'set' and a PaIpfwBackend snapshot on the fly would do the trick. I just committed the core of XORP's ACL manager last week, please feel free to have a look at it and give me feedback. Regards, BMS --zCKi3GIZzVBPywwA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQFBvwBcueUpAYYNtTsRAvh1AJ9R1OXVfLBta/M/D5PgimE9MW3/UwCfW+uS KYTGji5nwSljAEt20h+U6IY= =VUpk -----END PGP SIGNATURE----- --zCKi3GIZzVBPywwA--