I would like to find the appropriate place to discuss my idea for a new netgraph node type that filters traffic based on ethernet and IP address.
As a snippet sometimes says more than a thousand words, here it is for the gist of it:
This would block any traffic that is addressed to or originates from
My motivation for this is based on the desire to prevent VNET jails from spoofing, the the lack of L2 support (and other peculiarities) by pf(4) and some interesting behavior I have observed regarding bridge(4) with added epair(4) interfaces.
Note that I am not here for advice on using ipfw(8) instead of pf. So please don't.
I have already implemented the node type as a proof of concept and played with it a bit. So I'm not really here for advice on how to implement something like this, but rather on how to kick off a discussion and where the appropriate place for this would be (freebsd-net or any other mailinglist, forum, ...). I have to admit that after looking into the developer handbook and other sources I am still not sure what the process for creating a new kernel module looks like in terms of the FreeBSD community. So any guidance is highly appreciated.
Maybe this is already the place to be, in which case I will happily present a more detailed case and ask for advice on certain details I can't seem to make my mind up.
As a snippet sometimes says more than a thousand words, here it is for the gist of it:
Code:
ngctl mkpeer ngeth0: antispoof ether filter
ngctl name ngeth0:ether as
ngctl msg as: addinet '{ ether=0a:00:de:ad:be:ef ip_addr=192.168.42.1 }'This would block any traffic that is addressed to or originates from
ngeth0 that refers to that interface with a different ethernet or IP address as the ones indicated above.My motivation for this is based on the desire to prevent VNET jails from spoofing, the the lack of L2 support (and other peculiarities) by pf(4) and some interesting behavior I have observed regarding bridge(4) with added epair(4) interfaces.
Note that I am not here for advice on using ipfw(8) instead of pf. So please don't.
I have already implemented the node type as a proof of concept and played with it a bit. So I'm not really here for advice on how to implement something like this, but rather on how to kick off a discussion and where the appropriate place for this would be (freebsd-net or any other mailinglist, forum, ...). I have to admit that after looking into the developer handbook and other sources I am still not sure what the process for creating a new kernel module looks like in terms of the FreeBSD community. So any guidance is highly appreciated.
Maybe this is already the place to be, in which case I will happily present a more detailed case and ask for advice on certain details I can't seem to make my mind up.
