Macfilter to route packets through different hooks based on sender MAC address.
- Group Reviewers
Test script included in /usr/src/tools/test/ng_macfilter. Also actual use in our Hotspot.
Thank you for the work. In principle the functionality can be emulated by ng_bpf as well, but this kind of node is easier to use.
I'm curios about two things:
- The only selecting criteria is the source mac, isn't it? Would it be difficult to match either by src or dst?
- There is a static array of NG_MACFILTER_UPPER_NUM entries to remember the hooks for the node. Usually such limitations cause trouble in the medium time frame, so I'd ask you to think about getting rid of this array and use the hook traversal functions from the netgraph framework instead.
For the fine details, I'll need some more time. But at the first glance it looks very good. (Especially the test case.)
It seems to me that check is not needed here. Because the netgraph(4) has already checked that there is no hook with the same name.
I had a look at ng_bpf, and it looks like it should be able to do it, but it's complicated. Also: I need to keep track of packets and bytes. ng_macfilter is specifically geared towards hotspot usage.
Selecting on destination MAC is not a problem per se: add a netgraph message to select either mode and add an if statement in macfilter_ether_input. What would be the use case? In many cases an ipfw firewall table would work there as far as I can see.
NG_MACFILTER_UPPER_NUM I replaced, and added a test adding 42 hooks and removing them in random order.
I'm happy to, and please note that I don't mean this would be a blocking issue, although having the test connected to the test suite and be run periodically gives some advantages like ensure this work in the future.
While it may take me some time for understand the background and the code, there are also some other channels would help:
- The codes and author of src/tests/sys/net*
- freebsd-testing mailing list