On 1/31/19 3:01 PM, Gleb Smirnoff wrote: > Author: glebius > Date: Thu Jan 31 23:01:03 2019 > New Revision: 343631 > URL: https://svnweb.freebsd.org/changeset/base/343631 > > Log: > New pfil(9) KPI together with newborn pfil API and control utility. > > The KPI have been reviewed and cleansed of features that were planned > back 20 years ago and never implemented. The pfil(9) internals have > been made opaque to protocols with only returned types and function > declarations exposed. The KPI is made more strict, but at the same time > more extensible, as kernel uses same command structures that userland > ioctl uses. > > In nutshell [KA]PI is about declaring filtering points, declaring > filters and linking and unlinking them together. > > New [KA]PI makes it possible to reconfigure pfil(9) configuration: > change order of hooks, rehook filter from one filtering point to a > different one, disconnect a hook on output leaving it on input only, > prepend/append a filter to existing list of filters. > > Now it possible for a single packet filter to provide multiple rulesets > that may be linked to different points. Think of per-interface ACLs in > Cisco or Juniper. None of existing packet filters yet support that, > however limited usage is already possible, e.g. default ruleset can > be moved to single interface, as soon as interface would pride their > filtering points. > > Another future feature is possiblity to create pfil heads, that provide > not an mbuf pointer but just a memory pointer with length. That would > allow filtering at very early stages of a packet lifecycle, e.g. when > packet has just been received by a NIC and no mbuf was yet allocated. > > Differential Revision: https://reviews.freebsd.org/D18951 > > Added: > head/sbin/pfilctl/ > head/sbin/pfilctl/Makefile (contents, props changed) > head/sbin/pfilctl/pfilctl.8 (contents, props changed) > head/sbin/pfilctl/pfilctl.c (contents, props changed) > Modified: > head/ObsoleteFiles.inc > head/sbin/Makefile > head/share/man/man9/Makefile > head/share/man/man9/pfil.9 > head/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c > head/sys/net/if_bridge.c > head/sys/net/if_enc.c > head/sys/net/if_ethersubr.c > head/sys/net/if_var.h > head/sys/net/pfil.c > head/sys/net/pfil.h > head/sys/netinet/ip_fastfwd.c > head/sys/netinet/ip_input.c > head/sys/netinet/ip_output.c > head/sys/netinet/ip_var.h > head/sys/netinet/siftr.c > head/sys/netinet6/ip6_fastfwd.c > head/sys/netinet6/ip6_forward.c > head/sys/netinet6/ip6_input.c > head/sys/netinet6/ip6_output.c > head/sys/netinet6/ip6_var.h > head/sys/netpfil/ipfw/ip_fw_eaction.c > head/sys/netpfil/ipfw/ip_fw_pfil.c > head/sys/netpfil/pf/pf_ioctl.c
This breaks the build. https://ci.freebsd.org/job/FreeBSD-head-powerpc64-build/9220/console > 23:28:54 cc1: warnings being treated as errors > 23:28:54 /usr/src/sbin/pfilctl/pfilctl.c: In function 'help': > 23:28:54 /usr/src/sbin/pfilctl/pfilctl.c:97: warning: nested extern > declaration of '__progname' > 23:28:54 --- all_subdir_lib --- > 23:28:54 --- clog.3.gz --- > 23:28:54 gzip -cn /usr/src/lib/msun/man/clog.3 > clog.3.gz > 23:28:54 --- all_subdir_sbin --- > 23:28:54 *** [pfilctl.o] Error code 1 > 23:28:54 > 23:28:54 make[4]: stopped in /usr/src/sbin/pfilctl -- Regards, Bryan Drewery
signature.asc
Description: OpenPGP digital signature
