From owner-freebsd-ipfw Thu Aug 15 11:38:29 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7BCA37B400 for ; Thu, 15 Aug 2002 11:38:26 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 60C3043E65 for ; Thu, 15 Aug 2002 11:38:26 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g7FIcPu30659; Thu, 15 Aug 2002 11:38:25 -0700 (PDT) (envelope-from rizzo) Date: Thu, 15 Aug 2002 11:38:25 -0700 From: Luigi Rizzo To: Julian Elischer Cc: ipfw@FreeBSD.ORG Subject: Re: RFC: new mbuf flag bit needed Message-ID: <20020815113824.B30190@iguana.icir.org> References: <20020815000720.B24495@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from julian@elischer.org on Thu, Aug 15, 2002 at 10:49:22AM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Aug 15, 2002 at 10:49:22AM -0700, Julian Elischer wrote: ... > A bit to force non testing in a firewall might be useful in other places.. > I'd however like to float an idea that maybe there should be more > specific bits for input and output processing. unfortunately bits are a scarce resource in struct m_hdr which we do not want to change in RELENG_4. Plus, many of the cases you are mentioning are already taken care of with m_tag/annotations because you need additional information: e.g. in the "fwd" you need the fwd address anyways, same for divert (you need the 'next rule'), and dummynet when you want multiple passes. The problem with protocol-specific bits is that you'll end up overloading them, and once you pass the packets to a multi-protocol module (such as netgraph, or ipfw2) you are in trouble. E.g. M_PROTO1 has been overloaded by device drivers to report some vlan-related info. The other M_PROTO* are all taken by the KAME code. cheers luigi > > > for example a 'fwd' packet that has been forwarded out from thi input > filter needs to bypass the output filter.. your bit could be used for > that. I am just wondering if a separate > 'input' and 'output' filtering bit may be a worthwhile aim.. > anyhow these are IP specific items so what I suggest is instead, that we > define 4 or so "protocol family specific" bits > that are reserved for protocol use. and allow each protocol family to > define their own use for them. > > you could then define bits for > input-filter bypass, > output filter bypass, > input-from-divert > > > etc. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message