Date: Fri, 02 Nov 2012 23:28:55 +0100 From: Andre Oppermann <oppermann@networx.ch> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: Juli Mallett <jmallett@freebsd.org>, "freebsd-net@freebsd.org" <net@freebsd.org> Subject: Re: splitting m_flags to pkthdr.flags + m_flags Message-ID: <50944927.2040902@networx.ch> In-Reply-To: <20121102171815.GA64911@onelab2.iet.unipi.it> References: <20121102123817.GP70741@FreeBSD.org> <5093C29A.4020902@networx.ch> <CACVs6=-bLcYAHjzByBWcC0i-=4xurpFAMBBE=CNiSJOiT=hhzw@mail.gmail.com> <20121102171815.GA64911@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02.11.2012 18:18, Luigi Rizzo wrote: > On Fri, Nov 02, 2012 at 09:12:23AM -0700, Juli Mallett wrote: >> On Fri, Nov 2, 2012 at 5:54 AM, Andre Oppermann <oppermann@networx.ch>wrote: >> >>> On 02.11.2012 13:38, Gleb Smirnoff wrote: >>> >>>> #define M_SKIP_FIREWALL 0x00004000 /* skip firewall processing */ >>>> >>> >>> This one should become an M_PROTO overlay. It is only relevant within >>> a protocol layer. >> >> >> No, like M_PROMISC it needs to follow packets around throughout the stack, >> and not conflict with anything else. My memory of the details is a bit >> hazy, but ipfw2 unfortunately does need the flag to not be something that >> could be accidentally set or cleared by another protocol layer, and the >> flag needs to persist. Or did 8 years ago. > > M_SKIP_FIREWALL was introduced to make sure that packets coming > out of a dummynet pipe were not reinjected in the firewall > unless explicitly requested by the configuration. Dummynet doesn't set or use M_SKIP_FIREWALL. > I think it is also used by the ipfw stateful code so that > probes to refresh the state of dynamic rules do not end up > fooling the firewall itself. Indeed. > Besides the firewall can be invoked at multiple layers, > so I believe it makes more sense to preserve the current behaviour > rather than make it into a M_PROTO flag. I've looked at the code and it all happens at the IP[46] layer. No layer crossing going on. M_PROTO use is perfectly valid here. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50944927.2040902>