Date: Thu, 26 Feb 2004 21:03:52 -0800 From: Sam Leffler <sam@errno.com> To: Luigi Rizzo <rizzo@icir.org> Cc: Tim Robbins <tjr@FreeBSD.org> Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c Message-ID: <565913D0-68E2-11D8-AE91-000A95AD0668@errno.com> In-Reply-To: <20040226071123.A31631@xorpc.icir.org> References: <200402260234.i1Q2YDx1014240@repoman.freebsd.org> <20040226060126.GA70201@troutmask.apl.washington.edu> <20040226080517.GA29763@cat.robbins.dropbear.id.au> <20040226015016.B23674@xorpc.icir.org> <403DC956.8EA364B2@freebsd.org> <20040226071123.A31631@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 26, 2004, at 7:11 AM, Luigi Rizzo wrote: > On Thu, Feb 26, 2004 at 11:24:22AM +0100, Andre Oppermann wrote: >> Luigi, >> >> do you have any patches ready or in the works to make ipfw2 use the >> PFIL_HOOKS API? That would simplify ip_input() and ip_output() a >> *great* deal. > > no, i will try to look and see if i can implement something of use. > But i don't think you'd save much more than the extra call to > ip_fw_chk() -- things such as 'divert' and 'forward' > greatly interact with the rest of the packet processing in ip_input() > and ip_output(). If you look at the code, calling > the firewall is a short block of code; the big offender is the > processing after the firewall returns with a non-trivial action > (especially 'forward' in ip_output()). I made two attempts to eliminate all the ipfw-, dummmynet-, and bridge-specific code in the ip protocols but never got stuff to the point where I was willing to commit it. My main motivation for doing this was to eliminate much of the incestuous behaviour so that you could reason about locking requirements but there were other benefits (e.g. I was also trying to make the ip code more "firewall agnostic"). The changes involved replacing the well-known function pointers with PFIL_HOOKS, restructuring code and API's so non-ip code could move out of the ip protocol code, and the elimination of MT_TAG mbufs. Max followed through getting the latter committed (thanks, great work!) and I hope to return to this when I've got free time. Sam
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?565913D0-68E2-11D8-AE91-000A95AD0668>