From owner-freebsd-net@FreeBSD.ORG Mon Dec 13 12:40:56 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11C9B16A4CE for ; Mon, 13 Dec 2004 12:40:56 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48CB643D49 for ; Mon, 13 Dec 2004 12:40:55 +0000 (GMT) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id iBDCeqJs045445 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Mon, 13 Dec 2004 15:40:53 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.11/8.12.8) with ESMTP id iBDCeq5T033445 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 13 Dec 2004 15:40:52 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.sick.ru (8.12.11/8.12.11/Submit) id iBDCeq3G033444 for net@freebsd.org; Mon, 13 Dec 2004 15:40:52 +0300 (MSK) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@freebsd.org using -f Date: Mon, 13 Dec 2004 15:40:51 +0300 From: Gleb Smirnoff To: net@freebsd.org Message-ID: <20041213124051.GB32719@cell.sick.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.5.6i X-Virus-Scanned: clamd / ClamAV version devel-20041013, clamav-milter version 0.75l on 127.0.0.1 X-Virus-Status: Clean Subject: per-interface packet filters X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2004 12:40:56 -0000 Dear networkers, I finally managed to pronounce my idea, although I'm afraid of a bikeshed it is going to be burried under. When managing a complex router with many interfaces the output of `ipfw show` (or ipf/pf analog) is getting long and difficult to understand. It is also important that many packets are checked against the rules that can never be applied to them, wasting CPU cycles. A simple example can be local network router with many inner interfaces and with one interface to internet. Actually filtering is desired only in external interface, and there is no need for local traffic to enter packet fitlering routines, e.g. ipfw_chk(). I'd like to implement per-interface pfil hooks, like in Cisco world. Each interface may have 'in' list of rules, 'out' list of rules. Current global ip_{input,output}, filters may coexist with per-interface ones, but can be turned off. Our PFIL interface is quite ready for this, and this is very nice. I'll start with creating/editing alternative chains in ipfw. Then we will need to add possibility to register per-interface hooks in pfil, and add possibility to pass one more optional argument from pfil to the filter itself. I'm glad to see any constructive comments on plan. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE