From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 29 14:37:33 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 106B01065674 for ; Fri, 29 Feb 2008 14:37:33 +0000 (UTC) (envelope-from freebsd-ipfw@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id BA6CB8FC16 for ; Fri, 29 Feb 2008 14:37:32 +0000 (UTC) (envelope-from freebsd-ipfw@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JV6MY-0001AG-0D for freebsd-ipfw@freebsd.org; Fri, 29 Feb 2008 14:37:26 +0000 Received: from 195.208.174.178 ([195.208.174.178]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 29 Feb 2008 14:37:25 +0000 Received: from vadim_nuclight by 195.208.174.178 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 29 Feb 2008 14:37:25 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-ipfw@freebsd.org From: Vadim Goncharov Date: Fri, 29 Feb 2008 14:37:14 +0000 (UTC) Organization: Nuclear Lightning @ Tomsk, TPU AVTF Hostel Lines: 33 Message-ID: References: <20080228151134.GA73358@tin.it> <20080229095150.GA76592@tin.it> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 195.208.174.178 X-Comment-To: Paolo Pisati User-Agent: slrn/0.9.8.1 (FreeBSD) Sender: news Subject: Re: [patch] ipfw_nat as a kld module X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Feb 2008 14:37:33 -0000 Hi Paolo Pisati! >> * struct ip_fw_chain moved to .h and no longer static, is this good? >> I suggest to move into it's own static chain in module, see next > the symbol is used outside it's originating file Is it needed if LIST_HEAD will be in its own module? >> * Instead of returning IP_FW_NAT function is called immediately from >> ipfw_chk(). This inconsistent with other modules of this sort, like divert >> and dummynet, where ipfw_chk() simply returns value and cookie to >> ipfw_check_*() functions in _pfil.c. If it is done like that, ip_fw2.c >> is dependent on modules in minimal way, as many of structures and code >> as possible should be moved to modules. This allows to change module >> without recompiling main ipfw - for example, your lookup_nat() and >> LIST_HEAD from ip_fw_chain could reside entirely in module - then it would >> be possible to easily switch from LIST to hash of some kind (imagine 500 >> NAT instances). And so on. > that's something i thought about, but i didn't see any tangible improvement > to this modification, cause part of ipfw_nat would still be called from > ipfw2.c (see ipfw_ctl). This could be fixed, too, as is done with dummynet, which is also configured via ipfw(8). As it is HEAD, ABI can be broken and this will not be done via ipfw_ctl(). > Anyway, i'll fix a couple of nits and commit as it is. Why not to fix more?.. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]