From owner-freebsd-net@FreeBSD.ORG Fri Nov 2 17:06:57 2012 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4763947A; Fri, 2 Nov 2012 17:06:57 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id C63018FC16; Fri, 2 Nov 2012 17:06:56 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id D7C6D7300A; Fri, 2 Nov 2012 18:18:15 +0100 (CET) Date: Fri, 2 Nov 2012 18:18:15 +0100 From: Luigi Rizzo To: Juli Mallett Subject: Re: splitting m_flags to pkthdr.flags + m_flags Message-ID: <20121102171815.GA64911@onelab2.iet.unipi.it> References: <20121102123817.GP70741@FreeBSD.org> <5093C29A.4020902@networx.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: "freebsd-net@freebsd.org" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Nov 2012 17:06:57 -0000 On Fri, Nov 02, 2012 at 09:12:23AM -0700, Juli Mallett wrote: > On Fri, Nov 2, 2012 at 5:54 AM, Andre Oppermann wrote: > > > On 02.11.2012 13:38, Gleb Smirnoff wrote: > > > >> #define M_SKIP_FIREWALL 0x00004000 /* skip firewall processing */ > >> > > > > This one should become an M_PROTO overlay. It is only relevant within > > a protocol layer. > > > No, like M_PROMISC it needs to follow packets around throughout the stack, > and not conflict with anything else. My memory of the details is a bit > hazy, but ipfw2 unfortunately does need the flag to not be something that > could be accidentally set or cleared by another protocol layer, and the > flag needs to persist. Or did 8 years ago. M_SKIP_FIREWALL was introduced to make sure that packets coming out of a dummynet pipe were not reinjected in the firewall unless explicitly requested by the configuration. I think it is also used by the ipfw stateful code so that probes to refresh the state of dynamic rules do not end up fooling the firewall itself. Besides the firewall can be invoked at multiple layers, so I believe it makes more sense to preserve the current behaviour rather than make it into a M_PROTO flag. cheers luigi > > http://svnweb.freebsd.org/base?view=revision&revision=132274 > > But there was some disagreement at the time about whether ipfw2 was doing > the right thing, and this behavior should be legitimized by making it > actually work right: > > http://lists.freebsd.org/pipermail/cvs-src/2004-July/027830.html > > If the flag is made back into an M_PROTO (or, even better, removed) then it > would be best to verify that it does not need to persist, it is okay if the > flag is set by a different protocol layer, etc., today. > > Thanks, > Juli. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"