current-users: Re: IP Firewalling and IP Filetering

Subject: Re: IP Firewalling and IP Filetering
To: Dave Burgess <burgess@cynjut.neonramp.com>
From: Rob Healey <rob-healey@norstar.com>
List: current-users
Date: 06/09/1996 10:47:55
> I have been playing around with IP Firewalling and IP Filtering all
> week-end.  Here are some observations so far:
> 
> 1.  There has been a recent change in the definition of the 'struct
> ifnet' that has invalidated the members 'if_name' and 'if_unit'.  I am
> guessing that these are the old names for the members 'if_xunit' and
> 'in_index', but I'm not familiar enough with the code to make it work.
> 
[ Stuff deleted ]
> 3.  I tried to install ip_fil2.3.  It was a complete failure.  This
> package required about eight file updates, half of which were
> invalidated by the ipfirewall additions.  One was just wrong (it was
> looking for something in in_proto.c that I couldn't find.
> 

	You need to get ip_fil3.0.4, adds quite a few improvements, including
	NAT! You need to change ip_fil.c around the area where it accesses
	if_unit and if_name[] to use if_xname[] for if_name[] and a kludge
	for if_unit. if_index is NOT the unit ID! It's the number of the
	interface in the whole system, i.e. it's count includes ALL ip
	capable interfaces and not just the kind you want to filter. I
	did a strlen of if_xname and took the last character position as
	the unit ID to use. Breaks down if you have more than 10 of one
	kind of interface but serves my purposes.

	Now, on the philosophical side there are two sides of a coin here:

	A: Why does the core seem to do gratuitous changes like this that
	   fly in the face of industry practice?
	B: You shouldn't rely on internal layout for opaque data structures
	   like ifnet!

	While B has purist ideals, A is why alot of software breaks on
	NetBSD! Ok, so it's the software's fault but whenever "purity"
	changes are made to an interface some effort at providing industry
	De Facto compatability would be appreciated! In this case, a
	sure way to get the unit ID without having to guess/devine it from
	if_xname[] array.

	As a side comment, if NetBSD was consistant with interfaces and ALWAYS
	used struct device at the beginning of network devices softc's 	
 	        structures then this problem could have easily been solved by 
  	        referencing sc->dv_unit which would be initialized in startup
code.
	Most notably ppp and slip pseudo devices don't have the device
	structure in their softc struct; presumably to save space?

	Anyways, I bracketed the changes in an #if NetBSD >= 199606 so I
	could use the code on my other OS's as well. ip_fil3.0.4 is REALLY
	cool! I suggest everyone get a copy, I got mine at:

	coombs.anu.edu.au:/pub/net/kernel/

		-Rob