From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 04:58:00 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D4E6416A407 for ; Sun, 17 Dec 2006 04:58:00 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outT.internet-mail-service.net (outT.internet-mail-service.net [216.240.47.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id 994F843CB5 for ; Sun, 17 Dec 2006 04:57:59 +0000 (GMT) (envelope-from julian@elischer.org) Received: from shell.idiom.com (HELO idiom.com) (216.240.47.20) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Sat, 16 Dec 2006 20:42:32 -0800 Received: from [192.168.2.4] (home.elischer.org [216.240.48.38]) by idiom.com (8.12.11/8.12.11) with ESMTP id kBH4vwHd087133; Sat, 16 Dec 2006 20:57:58 -0800 (PST) (envelope-from julian@elischer.org) Message-ID: <4584CE56.5070606@elischer.org> Date: Sat, 16 Dec 2006 20:57:58 -0800 From: Julian Elischer User-Agent: Thunderbird 1.5.0.8 (Macintosh/20061025) MIME-Version: 1.0 To: Andre Oppermann References: <457DCD47.5090004@elischer.org> <200612120045.41425.max@love2party.net> <4583119B.20608@elischer.org> <200612160446.02644.max@love2party.net> <4583B919.8030008@freebsd.org> In-Reply-To: <4583B919.8030008@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Max Laier , freebsd-net@freebsd.org Subject: Re: addition to ipfw.. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Dec 2006 04:58:00 -0000 Andre Oppermann wrote: > Max Laier wrote: >> I don't like the implementation for this reason. It feels hackish to >> me. What is the reason that you didn't duplicate the ethernet header >> approach in ip_fw_pfil.c? Speed? Did you measure? It is certainly >> easier to properly strip off the vlan header in the pfil hook code and >> reattach it when done (or trust the hardware to do it - if M_VLANTAG >> was set in the first place). >> >> As an aside, I agree that the mtod mania isn't that great either and >> we should probably do away with it. But that's orthogonal to the vlan >> handling - I just don't like that to be pulled into *IP*fw. This >> might just be me, however. > > IMO we should split IPFW into two parts (at least logically), one for > *IP* firewalling, as you say, and one for Ethernet firewalling. With > different not-intermixed rulesets. /sbin/ipfw could get a hardlink to > /sbin/efw to do the ethernet rules display and manipulation. Note that > this is a different thing from the etherbridge stuff where a layer 2 > frame is inspected and turned temporarily into a layer 3 IP packet for > inspection on the IP layer. which is what this is for.. I'm inspecting IP packets as they are bridged even if they are in vlans. >