Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 02 Nov 2012 23:28:55 +0100
From:      Andre Oppermann <oppermann@networx.ch>
To:        Luigi Rizzo <rizzo@iet.unipi.it>
Cc:        Juli Mallett <jmallett@freebsd.org>, "freebsd-net@freebsd.org" <net@freebsd.org>
Subject:   Re: splitting m_flags to pkthdr.flags + m_flags
Message-ID:  <50944927.2040902@networx.ch>
In-Reply-To: <20121102171815.GA64911@onelab2.iet.unipi.it>
References:  <20121102123817.GP70741@FreeBSD.org> <5093C29A.4020902@networx.ch> <CACVs6=-bLcYAHjzByBWcC0i-=4xurpFAMBBE=CNiSJOiT=hhzw@mail.gmail.com> <20121102171815.GA64911@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 02.11.2012 18:18, Luigi Rizzo wrote:
> On Fri, Nov 02, 2012 at 09:12:23AM -0700, Juli Mallett wrote:
>> On Fri, Nov 2, 2012 at 5:54 AM, Andre Oppermann <oppermann@networx.ch>wrote:
>>
>>> On 02.11.2012 13:38, Gleb Smirnoff wrote:
>>>
>>>> #define M_SKIP_FIREWALL 0x00004000 /* skip firewall processing */
>>>>
>>>
>>> This one should become an M_PROTO overlay.  It is only relevant within
>>> a protocol layer.
>>
>>
>> No, like M_PROMISC it needs to follow packets around throughout the stack,
>> and not conflict with anything else.  My memory of the details is a bit
>> hazy, but ipfw2 unfortunately does need the flag to not be something that
>> could be accidentally set or cleared by another protocol layer, and the
>> flag needs to persist.  Or did 8 years ago.
>
> M_SKIP_FIREWALL was introduced to make sure that packets coming
> out of a dummynet pipe were not reinjected in the firewall
> unless explicitly requested by the configuration.

Dummynet doesn't set or use M_SKIP_FIREWALL.

> I think it is also used by the ipfw stateful code so that
> probes to refresh the state of dynamic rules do not end up
> fooling the firewall itself.

Indeed.

> Besides the firewall can be invoked at multiple layers,
> so I believe it makes more sense to preserve the current behaviour
> rather than make it into a M_PROTO flag.

I've looked at the code and it all happens at the IP[46] layer.
No layer crossing going on.  M_PROTO use is perfectly valid here.

-- 
Andre

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50944927.2040902>