Macfilter to route packets through different hooks based on sender MAC address.
Details
Details
- Reviewers
- None
- Group Reviewers
manpages - Commits
- rS368453: Missed adding netgraph to mtree in r368443:
rS368443: New Netgraph module ng_macfilter:
Test script included in /usr/src/tools/test/ng_macfilter. Also actual use in our Hotspot.
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Comment Actions
A few minor things in the man page. You can check it with "mandoc -Tlint" and textproc/igor.
| share/man/man4/ng_macfilter.4 | ||
|---|---|---|
| 50 ↗ | (On Diff #79702) | Line break is needed here after the sentence stop. |
| 61 ↗ | (On Diff #79702) | Another line break needed here. |
| 74 ↗ | (On Diff #79702) | One more line break here at the sentence stop. |
| 75 ↗ | (On Diff #79702) | And another one here. |
Comment Actions
Thank you for the work. In principle the functionality can be emulated by ng_bpf as well, but this kind of node is easier to use.
I'm curios about two things:
- The only selecting criteria is the source mac, isn't it? Would it be difficult to match either by src or dst?
- There is a static array of NG_MACFILTER_UPPER_NUM entries to remember the hooks for the node. Usually such limitations cause trouble in the medium time frame, so I'd ask you to think about getting rid of this array and use the hook traversal functions from the netgraph framework instead.
For the fine details, I'll need some more time. But at the first glance it looks very good. (Especially the test case.)
| sys/netgraph/ng_macfilter.c | ||
|---|---|---|
| 63–66 ↗ | (On Diff #79720) | These 'include's are unnecessary: |
| 71 ↗ | (On Diff #79720) | Ditto. |
| 88 ↗ | (On Diff #79720) | These two variables are not used. |
| 91 ↗ | (On Diff #79720) | These define also unused. |
| sys/netgraph/ng_macfilter.c | ||
|---|---|---|
| 639 ↗ | (On Diff #79720) | It seems to me that check is not needed here. Because the netgraph(4) has already checked that there is no hook with the same name. |
Comment Actions
It will be great if the test can be converted to a test case and put to src/tests/sys/netgraph/ .
Comment Actions
Who would be able to help me get that sorted out? The script as-is is starting to get convoluted.
Nick Hibma
nick@van-laarhoven.org
- Open Source: We stand on the shoulders of giants.
Comment Actions
Thanks. Removed all other checks as well as they are not being triggered either.
Nick Hibma
nick@van-laarhoven.org
- Open Source: We stand on the shoulders of giants.
Comment Actions
Implement suggested changes:
- make number of outbound hooks dynamic (afedorov).
- remove unused includes, unused variables, redundant checks.
- cleanup testing script a little
Comment Actions
I had a look at ng_bpf, and it looks like it should be able to do it, but it's complicated. Also: I need to keep track of packets and bytes. ng_macfilter is specifically geared towards hotspot usage.
Selecting on destination MAC is not a problem per se: add a netgraph message to select either mode and add an if statement in macfilter_ether_input. What would be the use case? In many cases an ipfw firewall table would work there as far as I can see.
NG_MACFILTER_UPPER_NUM I replaced, and added a test adding 42 hooks and removing them in random order.
Comment Actions
I'm happy to, and please note that I don't mean this would be a blocking issue, although having the test connected to the test suite and be run periodically gives some advantages like ensure this work in the future.
While it may take me some time for understand the background and the code, there are also some other channels would help:
- The codes and author of src/tests/sys/net*
- freebsd-testing mailing list
Comment Actions
Final update incorporating all the changes.
Also, make buildworld and buildkernel tested.