Gleb Smirnoff wrote:
Dear networkers,
I finally managed to pronounce my idea, although I'm afraid of a bikeshed it is going to be burried under.
When managing a complex router with many interfaces the output of `ipfw show` (or ipf/pf analog) is getting long and difficult to understand. It is also important that many packets are checked against the rules that can never be applied to them, wasting CPU cycles.
A simple example can be local network router with many inner interfaces and with one interface to internet. Actually filtering is desired only in external interface, and there is no need for local traffic to enter packet fitlering routines, e.g. ipfw_chk().
I'd like to implement per-interface pfil hooks, like in Cisco world. Each interface may have 'in' list of rules, 'out' list of rules. Current global ip_{input,output}, filters may coexist with per-interface ones, but can be turned off.
Our PFIL interface is quite ready for this, and this is very nice. I'll start with creating/editing alternative chains in ipfw. Then we will need to add possibility to register per-interface hooks in pfil, and add possibility to pass one more optional argument from pfil to the filter itself.
I'm glad to see any constructive comments on plan.
I do this now with the current ipfw unchanged.. my rules always start with something like:
add 100 skipto 1000 ip from any to any in recv fxp0 add 101 skipto 2000 ip from any to any out xmit fxp0
add 110 skipto 3000 ip from any to any in recv fxp1 add 111 skipto 4000 ip from any to any out xmit fxp1
add 120 skipto 5000 ip from any to any in recv fxp2 add 121 skipto 6000 ip from any to any out xmit fxp2
This allows me to have a dedicated set of rules for each logical flow.
Sometimes I even go one step further and define subsections for "out recv fxp0 xmit fxp1" and "from any to me in recv fxp1" .. etc
I also sometimes break the rules up further with (for each interface set.) add 1000 skipto 1100 tcp from any to any add 2000 skipto 2100 tcp from any to any
Then at 1050 ans 2050 I have processing for things like UDP and icmp.
The aim is to minimise the running of unneeded rules, as you said.
It is actually faster than just that because the rules in each section never need to test the interface or direction. I think this should be in an ipfw "howto".
I'm not sayig we should n't do what you are saying but that it is already possible to do very similar things.
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
