Date: Thu, 26 Feb 2004 07:11:23 -0800 From: Luigi Rizzo <rizzo@icir.org> To: Andre Oppermann <andre@freebsd.org> Cc: Steve Kargl <sgk@troutmask.apl.washington.edu> Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c Message-ID: <20040226071123.A31631@xorpc.icir.org> In-Reply-To: <403DC956.8EA364B2@freebsd.org>; from andre@freebsd.org on Thu, Feb 26, 2004 at 11:24:22AM %2B0100 References: <200402260234.i1Q2YDx1014240@repoman.freebsd.org> <20040226060126.GA70201@troutmask.apl.washington.edu> <20040226080517.GA29763@cat.robbins.dropbear.id.au> <20040226015016.B23674@xorpc.icir.org> <403DC956.8EA364B2@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 26, 2004 at 11:24:22AM +0100, Andre Oppermann wrote: > Luigi, > > do you have any patches ready or in the works to make ipfw2 use the > PFIL_HOOKS API? That would simplify ip_input() and ip_output() a > *great* deal. no, i will try to look and see if i can implement something of use. But i don't think you'd save much more than the extra call to ip_fw_chk() -- things such as 'divert' and 'forward' greatly interact with the rest of the packet processing in ip_input() and ip_output(). If you look at the code, calling the firewall is a short block of code; the big offender is the processing after the firewall returns with a non-trivial action (especially 'forward' in ip_output()). cheers luigi > -- > Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040226071123.A31631>