From owner-cvs-all Fri Aug 16 10:40:26 2002 Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C8A937B400; Fri, 16 Aug 2002 10:40:15 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1843743E84; Fri, 16 Aug 2002 10:40:15 -0700 (PDT) (envelope-from julian@elischer.org) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020816174014.INGO1746.rwcrmhc51.attbi.com@InterJet.elischer.org>; Fri, 16 Aug 2002 17:40:14 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id KAA32762; Fri, 16 Aug 2002 10:36:11 -0700 (PDT) Date: Fri, 16 Aug 2002 10:36:10 -0700 (PDT) From: Julian Elischer To: Luigi Rizzo Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw2.c src/sbin/ipfw ipfw.8 ipfw2.c In-Reply-To: <200208161031.g7GAVmQ7053775@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I do object a bit to an mbuf flag being assigned for something that is protocol specific. ipfw is an IP specific thing. ipfw in bridging is a hack that should have been done differently. is should be 'macfw' with an option to firther call ipfw of the protocol turns out to be ip. Each protcol should have the oportunity to supply their own firewall. the current method has been apractical forst step but it needs to be ripped out and re-implemented properly. We are breaking layers all over the place. On Fri, 16 Aug 2002, Luigi Rizzo wrote: > luigi 2002/08/16 03:31:47 PDT > > Modified files: > sys/netinet ip_fw2.c > sbin/ipfw ipfw.8 ipfw2.c > Log: > sys/netinet/ip_fw2.c: > > Implement the M_SKIP_FIREWALL bit in m_flags to avoid loops > for firewall-generated packets (the constant has to go in sys/mbuf.h). > > Better comments on keepalive generation, and enforce dyn_rst_lifetime > and dyn_fin_lifetime to be less than dyn_keepalive_period. > > Enforce limits (up to 64k) on the number of dynamic buckets, and > retry allocation with smaller sizes. > > Raise default number of dynamic rules to 4096. > > Improved handling of set of rules -- now you can atomically > enable/disable multiple sets, move rules from one set to another, > and swap sets. > > sbin/ipfw/ipfw2.c: > > userland support for "noerror" pipe attribute. > > userland support for sets of rules. > > minor improvements on rule parsing and printing. > > sbin/ipfw/ipfw.8: > > more documentation on ipfw2 extensions, differences from ipfw1 > (so we can use the same manpage for both), stateful rules, > and some additional examples. > Feedback and more examples needed here. > > Revision Changes Path > 1.106 +370 -67 src/sbin/ipfw/ipfw.8 > 1.10 +156 -49 src/sbin/ipfw/ipfw2.c > 1.9 +116 -47 src/sys/netinet/ip_fw2.c > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message