Re: Generic IP Firewalling Chains 1.2

Paul Rusty Russell (Paul.Russell@rustcorp.com.au)
Tue, 20 Jan 1998 23:38:48 +1100

In message <m0xuRCe-0005FsC@lightning.swansea.linux.org.uk> you write:
> > Just released v1.2, with a patch against 2.1.80-pre4. You
> > know, the cool IPV4 firewalling replacement...
>
> Ok. I'll consider merging it soon. However I have a request that stems
> from Alexey's one man cisco obsolesence project. Is there a sane way to
> add
>
> ip_chain_scope(u32 src_ip, u32 dst_ip, u16 src_port, u16 dst_port, u8 p
rotocol)
>
> To tell me if I can cache the result of that firewall rule for
>
> any port
> match src port
> match dst port
> match protocol
>
> so that the per network card caches can handle firewalling when doing
> fast forwarding. (Note sometimes being over cautious is fine - we could
> also simply make it a "hint" field provided by the user application)

It's icky, because of the packet and byte counters on each rule.

Since my firewall chains allow more than one rule to match
(ie. accounting rules) you can't simply cache the final policy unless
it was the default and no rules were matched. This is not likely to
be the common case.

If we're allowed to play fast and loose with the counters, then this
is very possible.

I'll play with it and try to figure out what the best implementation
of ip_chain_scope is (I'm assuming it returns a bitset like

#define IP_FW_REQUIRE_SRC_PORT_MATCH 0x01
#define IP_FW_REQUIRE_DST_PORT_MATCH 0x02
#define IP_FW_REQUIRE_PROTO_MATCH 0x04
#define IP_FW_REQUIRE_SRC_IP_MATCH 0x08
#define IP_FW_REQUIRE_DST_IP_MATCH 0x10
...etc..
or -1 if you're not allowed to cache...).

I'll try to throw it together by the weekend.
Rusty.

--
 .sig lost in the mail.