From owner-cvs-all@FreeBSD.ORG Wed May 24 20:30:43 2006 Return-Path: X-Original-To: cvs-all@freebsd.org Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C142116AA50 for ; Wed, 24 May 2006 20:30:43 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3622B43D53 for ; Wed, 24 May 2006 20:30:42 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 71206 invoked from network); 24 May 2006 20:27:41 -0000 Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 24 May 2006 20:27:41 -0000 Message-ID: <4474C273.7030801@freebsd.org> Date: Wed, 24 May 2006 22:30:43 +0200 From: Andre Oppermann User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: Oleg Bulyzhin References: <200605241309.k4OD9tex003002@repoman.freebsd.org> <20060524131602.GA57006@lath.rinet.ru> <44747A4C.9090800@freebsd.org> <20060524190726.GB62483@lath.rinet.ru> In-Reply-To: <20060524190726.GB62483@lath.rinet.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/sys/netinet ip_fw.h ip_fw2.c src/sbin/ipfw ipfw.8 ipfw2.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 20:30:46 -0000 Oleg Bulyzhin wrote: > On Wed, May 24, 2006 at 05:22:52PM +0200, Andre Oppermann wrote: >> Oleg Bulyzhin wrote: >>> On Wed, May 24, 2006 at 01:09:55PM +0000, Oleg Bulyzhin wrote: >>>> oleg 2006-05-24 13:09:55 UTC >>>> >>>> FreeBSD src repository >>>> >>>> Modified files: >>>> sys/netinet ip_fw.h ip_fw2.c >>>> sbin/ipfw ipfw.8 ipfw2.c >>>> Log: >>>> Implement internal (i.e. inside kernel) packet tagging using >>>> mbuf_tags(9). >>>> Since tags are kept while packet resides in kernelspace, it's possible >>>> to >>>> use other kernel facilities (like netgraph nodes) for altering those >>>> tags. >>>> >>>> Submitted by: Andrey Elsukov >>>> Submitted by: Vadim Goncharov >>>> Approved by: glebius (mentor) >>>> Idea from: OpenBSD PF >>>> MFC after: 1 month >>>> >>>> Revision Changes Path >>>> 1.188 +61 -1 src/sbin/ipfw/ipfw.8 >>>> 1.89 +72 -8 src/sbin/ipfw/ipfw2.c >>>> 1.106 +6 -0 src/sys/netinet/ip_fw.h >>>> 1.132 +57 -1 src/sys/netinet/ip_fw2.c >>> Examples of ipfw rules syntax: >>> count tag 100 ip from any to any >>> allow untag 10 ip from any to any tagged 10 >> Does this accept the packet and untag it at the same time? Wouldn't >> it make more sense to have [tag|untag] as its own operators like >> [allow|deny]? >> >>> allow tag 200 ip from any to any not tagged 0-65535 >>> >> -- >> Andre > > It was just syntax example, of course those rules are useless. Main idea > of tags: you can alter them outside ipfw so it's possible to do > policy routing/filtering/etc decisions outside ipfw. I'm perfectly fine with tags. My question was just about the ipfw rule syntax for tagging. See my email to Andrey for a more detailed rant. -- Andre