From owner-freebsd-current@FreeBSD.ORG Sun Jan 17 10:56:31 2010 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53F01106566C; Sun, 17 Jan 2010 10:56:31 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 0D1458FC0C; Sun, 17 Jan 2010 10:56:30 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id B503F730A1; Sun, 17 Jan 2010 12:04:43 +0100 (CET) Date: Sun, 17 Jan 2010 12:04:43 +0100 From: Luigi Rizzo To: Hajimu UMEMOTO Message-ID: <20100117110443.GA58434@onelab2.iet.unipi.it> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com> <25ff90d61001021736p7b695197q104f4a7769b51b71@mail.gmail.com> <20100110185232.GA27907@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, David Horn , freebsd-ipfw@freebsd.org Subject: Re: Unified rc.firewall ipfw me/me6 issue X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jan 2010 10:56:32 -0000 On Sun, Jan 17, 2010 at 05:42:58PM +0900, Hajimu UMEMOTO wrote: > Hi, > > >>>>> On Sun, 10 Jan 2010 19:52:32 +0100 > >>>>> Luigi Rizzo said: > > rizzo> We only need one 'me' option that matches v4 and v6, because the > rizzo> other two can be implemented as 'ip4 me' and 'ip6 me' at no extra > rizzo> cost (the code for 'me' only scans the list corresponding to the > rizzo> actual address family of the packet). I would actually vote for > rizzo> removing the 'me6' microinstruction from the kernel, and implement > rizzo> it in /sbin/ipfw by generating 'ip6 me'. > > rizzo> Feel free to commit the change yourself. > > Thank you. I've committed 1st patch and 3rd patch. > I think it is better removing the 'me6' microinstruction from the > kernel, and implement it in /sbin/ipfw by generating 'ip6 me'. > However, it seems to me that /sbin/ipfw is not designed to generate > two microinstructions (ip6 me) per one 'me6' easily. Indeed, it might be useful to insert, at the beginning of function ipfw_add, a small preprocessing step that translates all instances of 'me6' into 'ip6 me' and then proceed with the current parsing. While doing that, one could even NULL-terminate the array av[] so we don't need to carry both ac and av throught the code. Something like new_av = safe_calloc(ac*2 + 1, sizeof(char *); for (src = dst = 0; src < ac; src++) { if (!strcmp(av[src], "me6")) { new_av[dst++] = "ip6"; new_av[dst++] = "me"; } else { new_av[dst++] = av[src]; } } new_av[dst++] = NULL; av = new_av; ac = dst; should do the job. Replacing the tests for 'ac > 0' and ac>1 is straightforward though it touches a large number of lines (most of the usage is in the 'NEED1' macro. cheers luigi > Sincerely, > > -- > Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan > ume@mahoroba.org ume@{,jp.}FreeBSD.org > http://www.imasy.org/~ume/ > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"