From owner-cvs-all@FreeBSD.ORG Wed May 24 19:07:29 2006 Return-Path: X-Original-To: cvs-all@freebsd.org Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DE5D16A616; Wed, 24 May 2006 19:07:29 +0000 (UTC) (envelope-from oleg@lath.rinet.ru) Received: from lath.rinet.ru (lath.rinet.ru [195.54.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CC0543D45; Wed, 24 May 2006 19:07:28 +0000 (GMT) (envelope-from oleg@lath.rinet.ru) Received: from lath.rinet.ru (localhost [127.0.0.1]) by lath.rinet.ru (8.13.6/8.13.6) with ESMTP id k4OJ7Qp7062760 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 24 May 2006 23:07:26 +0400 (MSD) (envelope-from oleg@lath.rinet.ru) Received: (from oleg@localhost) by lath.rinet.ru (8.13.6/8.13.6/Submit) id k4OJ7Q9i062759; Wed, 24 May 2006 23:07:26 +0400 (MSD) (envelope-from oleg) Date: Wed, 24 May 2006 23:07:26 +0400 From: Oleg Bulyzhin To: Andre Oppermann Message-ID: <20060524190726.GB62483@lath.rinet.ru> References: <200605241309.k4OD9tex003002@repoman.freebsd.org> <20060524131602.GA57006@lath.rinet.ru> <44747A4C.9090800@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44747A4C.9090800@freebsd.org> User-Agent: Mutt/1.5.11 Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/sys/netinet ip_fw.h ip_fw2.c src/sbin/ipfw ipfw.8 ipfw2.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 19:07:34 -0000 On Wed, May 24, 2006 at 05:22:52PM +0200, Andre Oppermann wrote: > Oleg Bulyzhin wrote: > >On Wed, May 24, 2006 at 01:09:55PM +0000, Oleg Bulyzhin wrote: > >>oleg 2006-05-24 13:09:55 UTC > >> > >> FreeBSD src repository > >> > >> Modified files: > >> sys/netinet ip_fw.h ip_fw2.c > >> sbin/ipfw ipfw.8 ipfw2.c > >> Log: > >> Implement internal (i.e. inside kernel) packet tagging using > >> mbuf_tags(9). > >> Since tags are kept while packet resides in kernelspace, it's possible > >> to > >> use other kernel facilities (like netgraph nodes) for altering those > >> tags. > >> > >> Submitted by: Andrey Elsukov > >> Submitted by: Vadim Goncharov > >> Approved by: glebius (mentor) > >> Idea from: OpenBSD PF > >> MFC after: 1 month > >> > >> Revision Changes Path > >> 1.188 +61 -1 src/sbin/ipfw/ipfw.8 > >> 1.89 +72 -8 src/sbin/ipfw/ipfw2.c > >> 1.106 +6 -0 src/sys/netinet/ip_fw.h > >> 1.132 +57 -1 src/sys/netinet/ip_fw2.c > > > >Examples of ipfw rules syntax: > > count tag 100 ip from any to any > > allow untag 10 ip from any to any tagged 10 > > Does this accept the packet and untag it at the same time? Wouldn't > it make more sense to have [tag|untag] as its own operators like > [allow|deny]? > > > allow tag 200 ip from any to any not tagged 0-65535 > > > > -- > Andre It was just syntax example, of course those rules are useless. Main idea of tags: you can alter them outside ipfw so it's possible to do policy routing/filtering/etc decisions outside ipfw. -- Oleg.