On Thu, 16 Dec 2004, Andre Oppermann wrote: > Kelly Yancey wrote: > > > > How about a generic per-interface pfil demultiplexer? That is, a module > > that uses the existing pfil hooks to in turn call per-interface hooks. > > As Luigi suggested earlier, it would be possible to use the interface > > index to index an array private to the multiplexer's implementation. > > If each element in this array had its own pfil_head, then the demultiplexer > > could then call pfil_run_hooks() using that list. This would allow you > > to have your per-interface hooks in a generic way without changing a line > > of existing code. It could be entirely encapsulated in kld. Provided an > > API to manipulate the per-interface pfil registration, you could even run > > different filters on different interfaces. > > You'de even have a chance of back-porting it to FreeBSD 5.x since you > > won't be changing the ifnet structure at all. > > You'd have to change all firewall packages too. Currently they are not > aware of and can't deal with multiple rule chain heads. The is the > second main problem of Gleb implementation proposal so far. > > Nothing prevents generic routines to have the demultiplexer you describe > but it's use and handling has to be inside each firewall package. >
Absolutely. You could only use such a demultiplexer to select which interfaces filters would apply to. The issue of implementing different behavior depending on the interface (e.g. a firewall implementing per-interface rulesets) is necessarily a matter for the filter not the framework. That said, since we have 3 firewall implementations, you could use the demultiplexer to have 3 different sets of rules, each applied to a different subset of the interfaces. :) Kelly -- Kelly Yancey - [EMAIL PROTECTED],FreeBSD.org} - [EMAIL PROTECTED] "An enlightened people, and an energetic public opinion... will control and enchain the aristocratic spirit of the government." --Thomas Jefferson _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
