From owner-freebsd-net@FreeBSD.ORG  Fri Nov  2 22:29:04 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id D4A52A6F
 for <net@freebsd.org>; Fri,  2 Nov 2012 22:29:04 +0000 (UTC)
 (envelope-from oppermann@networx.ch)
Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2])
 by mx1.freebsd.org (Postfix) with ESMTP id 3B0228FC16
 for <net@freebsd.org>; Fri,  2 Nov 2012 22:29:03 +0000 (UTC)
Received: (qmail 89184 invoked from network); 3 Nov 2012 00:05:10 -0000
Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2])
 (envelope-sender <oppermann@networx.ch>)
 by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP
 for <rizzo@iet.unipi.it>; 3 Nov 2012 00:05:10 -0000
Message-ID: <50944927.2040902@networx.ch>
Date: Fri, 02 Nov 2012 23:28:55 +0100
From: Andre Oppermann <oppermann@networx.ch>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:16.0) Gecko/20121010 Thunderbird/16.0.1
MIME-Version: 1.0
To: Luigi Rizzo <rizzo@iet.unipi.it>
Subject: Re: splitting m_flags to pkthdr.flags + m_flags
References: <20121102123817.GP70741@FreeBSD.org> <5093C29A.4020902@networx.ch>
 <CACVs6=-bLcYAHjzByBWcC0i-=4xurpFAMBBE=CNiSJOiT=hhzw@mail.gmail.com>
 <20121102171815.GA64911@onelab2.iet.unipi.it>
In-Reply-To: <20121102171815.GA64911@onelab2.iet.unipi.it>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Juli Mallett <jmallett@freebsd.org>,
 "freebsd-net@freebsd.org" <net@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2012 22:29:04 -0000

On 02.11.2012 18:18, Luigi Rizzo wrote:
> On Fri, Nov 02, 2012 at 09:12:23AM -0700, Juli Mallett wrote:
>> On Fri, Nov 2, 2012 at 5:54 AM, Andre Oppermann <oppermann@networx.ch>wrote:
>>
>>> On 02.11.2012 13:38, Gleb Smirnoff wrote:
>>>
>>>> #define M_SKIP_FIREWALL 0x00004000 /* skip firewall processing */
>>>>
>>>
>>> This one should become an M_PROTO overlay.  It is only relevant within
>>> a protocol layer.
>>
>>
>> No, like M_PROMISC it needs to follow packets around throughout the stack,
>> and not conflict with anything else.  My memory of the details is a bit
>> hazy, but ipfw2 unfortunately does need the flag to not be something that
>> could be accidentally set or cleared by another protocol layer, and the
>> flag needs to persist.  Or did 8 years ago.
>
> M_SKIP_FIREWALL was introduced to make sure that packets coming
> out of a dummynet pipe were not reinjected in the firewall
> unless explicitly requested by the configuration.

Dummynet doesn't set or use M_SKIP_FIREWALL.

> I think it is also used by the ipfw stateful code so that
> probes to refresh the state of dynamic rules do not end up
> fooling the firewall itself.

Indeed.

> Besides the firewall can be invoked at multiple layers,
> so I believe it makes more sense to preserve the current behaviour
> rather than make it into a M_PROTO flag.

I've looked at the code and it all happens at the IP[46] layer.
No layer crossing going on.  M_PROTO use is perfectly valid here.

-- 
Andre