[Xorp-hackers] First-cut IP filtering XIF.

Bruce M Simpson bms@spc.org
Sun, 22 Aug 2004 04:30:57 -0700


--/WwmFnJnmDyWGHa4
Content-Type: multipart/mixed; boundary="J2SCkAp4GZ/dPZZf"
Content-Disposition: inline


--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi all,

Here's a first cut at a simple XRL interface to a firewall abstraction
layer (as yet to be coded) in the FEA.

I have chosen to treat IPv4 and IPv6 as separate families, with separate
tables, etc. This may be an appropriate tactic as some of the filtering
providers out there may support IPv4 but not IPv6; those that do support
both generally implement them in separate tables.

(As an aside, I have also begun hacking code for a PF_KEY interface.)

Looking at the Juniper filtering story it appears they *don't* use a
numbered-table method; this does limit flexibility at the expense of
keeping the interface simple. Also Juniper filters have to be tied to
particular interfaces, presumably this is so that they can be readily
adapt to whatever filtering features exist on their hardware.

All of ipfw, ipf, iptables and pf implement a numbered-table scheme
to some degree. Juniper, however, do specify that rules are evaluated
in the order in which they are defined.

More about how Juniper do filtering can be found here:
http://www.juniper.net/techpubs/software/junos/junos61/swconfig61-policy/html/policy-framework-overview4.html#1030422

Questions/comments/flames...
BMS

--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="fea_filter.xif"

/* $XORP$ */

/*
** IP filtering XRL interface.
*/
interface fea_filter/0.1 {
	/**
	 * Get global IP filter enable status.
	 */
	get_fw_enabled -> enabled:bool

	/**
	 * Set global IP filter enable status.
	 *
	 * @param enabled Enable or disable IP filtering.
	 */
	set_fw_enabled ? enabled:bool

	/**
	 * Get global IP filter default-to-discard status.
	 */
	get_fw_default_discard -> discard:bool

	/**
	 * Set global IP filter default-to-discard status.
	 *
	 * @param accept Discard all datagrams by default if true;
	 * otherwise, accept them.
	 */
	set_fw_default_discard ? discard:bool

	/**
	 * Get the underlying IP filter provider type in use.
	 */
	get_fw_provider -> provider:txt

	/**
	 * Set the underlying IP filter provider type in use.
	 * @param provider Name of an IP firewall provider to use on
	 * systems which have multiple IP filtering providers.
	 */
	set_fw_provider ? provider:txt

	/**
	 *  Get the underlying IP filter provider version in use.
	 */
	get_fw_version -> version:txt

	/**
	 * Add an IPv4 family filter rule.
	 *
	 * @param iface Name of the interface where this filter is to be applied.
	 * @param src Source IPv4 address with network prefix.
	 * @param dst Destination IPv4 address with network prefix.
	 * @param proto IP protocol number for match (actually u8).
	 * @param sport Source TCP/UDP port (actually u16).
	 * @param dport Destination TCP/UDP port (actually u16).
	 * @param action Action to take when this filter is matched.
	 */
	add_filter_4 \
		? \
		iface:txt & \
		src:ipv4net & \
		dst:ipv4net & \
		proto:u32 & \
		sport:u32 & \
		dport:u32 & \
		action:txt

	/**
	 * Add an IPv6 family filter rule.
	 *
	 * @param iface Name of the interface where this filter is to be applied.
	 * @param src Source IPv6 address with network prefix.
	 * @param dst Destination IPv6 address with network prefix.
	 * @param proto IP protocol number for match (actually u8).
	 * @param sport Source TCP/UDP port (actually u16).
	 * @param dport Destination TCP/UDP port (actually u16).
	 * @param action Action to take when this filter is matched.
	 */
	add_filter_6 \
		? \
		iface:txt & \
		src:ipv6net & \
		dst:ipv6net & \
		proto:u32 & \
		sport:u32 & \
		dport:u32 & \
		action:txt

	/**
	 * Delete an IPv4 family filter rule.
	 *
	 * @param iface Name of the interface where this filter is to be deleted.
	 * @param src Source IPv4 address with network prefix.
	 * @param dst Destination IPv4 address with network prefix.
	 * @param proto IP protocol number for match (actually u8).
	 * @param sport Source TCP/UDP port (actually u16).
	 * @param dport Destination TCP/UDP port (actually u16).
	 */
	delete_filter_4 \
		? \
		iface:txt & \
		src:ipv4net & \
		dst:ipv4net & \
		proto:u32 & \
		sport:u32 & \
		dport:u32

	/**
	 * Delete an IPv6 family filter rule.
	 *
	 * @param iface Name of the interface where this filter is to
	 * be deleted.
	 * @param src Source IPv6 address with network prefix.
	 * @param dst Destination IPv6 address with network prefix.
	 * @param proto IP protocol number for match (actually u8).
	 * @param sport Source TCP/UDP port (actually u16).
	 * @param dport Destination TCP/UDP port (actually u16).
	 */
	delete_filter_6 \
		? \
		iface:txt & \
		src:ipv6net & \
		dst:ipv6net & \
		proto:u32 & \
		sport:u32 & \
		dport:u32

	/**
	 * Get the first IPv4 family filter rule configured in the system.
	 *
	 * @param token returned token to be provided when calling
	 * get_filter_list_next_4.
	 * @param more returned to indicate whether there are more
	 * list items remaining.
	 */
	get_filter_list_start_4 \
		-> \
		token:u32 \
		& more:bool

	/**
	 * Get the next IPv4 family filter rule configured in the system.
	 *
	 * @param token token from prior call to get_filter_list_start_4.
	 * @param more returned to indicate whether there are more list items
	 * remaining.
	 */
	get_filter_list_next_4 \
		? \
		token:u32 \
		-> \
		more:bool & \
		src:ipv4net & \
		dst:ipv4net & \
		proto:u32 & \
		sport:u32 & \
		dport:u32 & \
		action:txt

	/**
	 * Get the first IPv6 family filter rule configured in the system.
	 *
	 * @param token returned token to be provided when calling
	 * get_filter_list_next_6.
	 * @param more returned to indicate whether there are more
	 * list items remaining.
	 */
	get_filter_list_start_6 \
		-> \
		token:u32 \
		& more:bool

	/**
	 * Get the next IPv6 family filter rule configured in the system.
	 *
	 * @param token token from prior call to get_filter_list_start_6.
	 * @param more returned to indicate whether there are more list items
	 * remaining.
	 */
	get_filter_list_next_6 \
		? \
		token:u32 \
		-> \
		more:bool & \
		src:ipv6net & \
		dst:ipv6net & \
		proto:u32 & \
		sport:u32 & \
		dport:u32 & \
		action:txt
}

--J2SCkAp4GZ/dPZZf--

--/WwmFnJnmDyWGHa4
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Comment: ''

iD8DBQFBKIPwueUpAYYNtTsRAuF/AKCHR5z0hNymPteU4E63INsS2mToiACfcVu4
toiEcBpOeEiMiOFd24a0CWc=
=n+Yf
-----END PGP SIGNATURE-----

--/WwmFnJnmDyWGHa4--