# Proposing a new netgraph nodetype: ng_antispoof



## mms (Sep 6, 2020)

I would like to find the appropriate place to discuss my idea for a new netgraph node type that filters traffic based on ethernet and IP address.

As a snippet sometimes says more than a thousand words, here it is for the gist of it:

```
ngctl mkpeer ngeth0: antispoof ether filter
ngctl name ngeth0:ether as
ngctl msg as: addinet '{ ether=0a:00:de:ad:be:ef ip_addr=192.168.42.1 }'
```

This would block any traffic that is addressed to or originates from `ngeth0` that refers to that interface with a different ethernet or IP address as the ones indicated above.

My motivation for this is based on the desire to prevent VNET jails from spoofing, the the lack of L2 support (and other peculiarities) by pf(4) and some interesting behavior I have observed regarding bridge(4) with added epair(4) interfaces.

Note that I am not here for advice on using ipfw(8) instead of pf. So please don't.

I have already implemented the node type as a proof of concept and played with it a bit. So I'm not really here for advice on how to implement something like this, but rather on how to kick off a discussion and where the appropriate place for this would be (freebsd-net or any other mailinglist, forum, ...). I have to admit that after looking into the developer handbook and other sources I am still not sure what the process for creating a new kernel module looks like in terms of the FreeBSD community. So _any_ guidance is highly appreciated.

Maybe this is already the place to be, in which case I will happily present a more detailed case and ask for advice on certain details I can't seem to make my mind up.


----------



## Mjölnir (Sep 9, 2020)

My guess is to write a short message to <freebsd-net@freebsd.org>, <freebsd-hackers@freebsd.org> or <freebsd-current@freebsd.org> (subscribe 1st, see @top of this forum), and very likely you will receive more valuable feedback via IRC on the developer's channels (ask for the channel in your e-mail).


----------



## George (Sep 10, 2020)

It's not guaranteed that you get an answer in the mailing lists. But it's your best bet, if you want to get in contact with the developers.
There is also this wiki. https://wiki.freebsd.org/TomMarcoen/JailNetworking

If you have a very concrete idea, you can post it in bugs.freebsd.org, and label it as request, or patch idea.

reviews.freebsd.org is the place if you have already written the code, and want to submit it.


----------



## mms (Sep 12, 2020)

Thank you a lot!
I've subscribed to the mailing lists and posted my current draft on bugs.freebsd.org: PR 249275.

I will have a look at reviews.freebsd.org as soon as my account has been activated.


----------



## mms (Sep 13, 2020)

Here is the code for review: https://reviews.freebsd.org/D26420


----------



## mms (Sep 15, 2020)

The proposed functionality is already provided by ng_bpf(4)).


----------



## Mjölnir (Sep 15, 2020)

mms said:


> The proposed functionality is already provided by ng_bpf(4)).


I wanted to ask: "how?", but that's described in the review   Even if your propposed work was abandoned, you seem to have found & fixed a bug, that's great!  And very likely you learned much while coding, so your efforts were not in vain.


----------

