From owner-freebsd-net@FreeBSD.ORG Mon Dec 13 18:11:26 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F54116A4CE; Mon, 13 Dec 2004 18:11:26 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B63B43D2F; Mon, 13 Dec 2004 18:11:26 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id C43B17A403; Mon, 13 Dec 2004 10:11:25 -0800 (PST) Message-ID: <41BDDB4D.2050201@elischer.org> Date: Mon, 13 Dec 2004 10:11:25 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516 X-Accept-Language: en, hu MIME-Version: 1.0 To: Gleb Smirnoff References: <20041213124051.GB32719@cell.sick.ru> In-Reply-To: <20041213124051.GB32719@cell.sick.ru> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: net@freebsd.org Subject: Re: per-interface packet filters X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2004 18:11:26 -0000 Gleb Smirnoff wrote: > Dear networkers, > > I finally managed to pronounce my idea, although I'm afraid >of a bikeshed it is going to be burried under. > >When managing a complex router with many interfaces the output >of `ipfw show` (or ipf/pf analog) is getting long and difficult to >understand. It is also important that many packets are checked >against the rules that can never be applied to them, wasting CPU >cycles. > >A simple example can be local network router with many inner interfaces >and with one interface to internet. Actually filtering is desired >only in external interface, and there is no need for local traffic >to enter packet fitlering routines, e.g. ipfw_chk(). > >I'd like to implement per-interface pfil hooks, like in Cisco >world. Each interface may have 'in' list of rules, 'out' list >of rules. Current global ip_{input,output}, filters may coexist >with per-interface ones, but can be turned off. > >Our PFIL interface is quite ready for this, and this is very nice. >I'll start with creating/editing alternative chains in ipfw. Then >we will need to add possibility to register per-interface hooks >in pfil, and add possibility to pass one more optional argument >from pfil to the filter itself. > >I'm glad to see any constructive comments on plan. > > I do this now with the current ipfw unchanged.. my rules always start with something like: add 100 skipto 1000 ip from any to any in recv fxp0 add 101 skipto 2000 ip from any to any out xmit fxp0 add 110 skipto 3000 ip from any to any in recv fxp1 add 111 skipto 4000 ip from any to any out xmit fxp1 add 120 skipto 5000 ip from any to any in recv fxp2 add 121 skipto 6000 ip from any to any out xmit fxp2 This allows me to have a dedicated set of rules for each logical flow. Sometimes I even go one step further and define subsections for "out recv fxp0 xmit fxp1" and "from any to me in recv fxp1" .. etc I also sometimes break the rules up further with (for each interface set.) add 1000 skipto 1100 tcp from any to any add 2000 skipto 2100 tcp from any to any Then at 1050 ans 2050 I have processing for things like UDP and icmp. The aim is to minimise the running of unneeded rules, as you said. It is actually faster than just that because the rules in each section never need to test the interface or direction. I think this should be in an ipfw "howto". I'm not sayig we should n't do what you are saying but that it is already possible to do very similar things.