From owner-freebsd-current@FreeBSD.ORG Fri Aug 13 21:48:57 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E516A16A4CE for ; Fri, 13 Aug 2004 21:48:57 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BD7B43D2F for ; Fri, 13 Aug 2004 21:48:57 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 9112 invoked from network); 13 Aug 2004 21:48:55 -0000 Received: from dotat.atdotat.at (HELO [62.48.0.47]) ([62.48.0.47]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 13 Aug 2004 21:48:55 -0000 Message-ID: <411D3746.7030308@freebsd.org> Date: Fri, 13 Aug 2004 23:48:54 +0200 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-current@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Updated ipfw to pfil_hooks patch X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 21:48:58 -0000 I've put a fresh diff of my current work of converting ipfw to use the pfil_hooks API to grab its fresh packet food. http://www.nrg4u.com/freebsd/ipfw-pfilhooks-and-more-20040813.diff The code is approaching finalization but is not yet there. No need for syntactic nitpicking yet. State of the diff: o Normal IPFW packet filter firewalling works fine - STABLE o IPDIVERT works fine - STABLE o DUMMYNET works fine - STABLE o IPFORWARD works for forwarding to local sockets on the ip_input and ip_output path' - TESTING o IPFORWARD works for forwarding to remote addresses only on the ip_output path -TESTING o Layer 2 IPFW for ethernet in/out and bridging does not work in the patch What remains to be done: o General code polishing around the core functions which are already cleaned up o Undo the removal of the Layer2 and bridge hooks and continue to invoke IPFW the old way for the moment (does not hurt) o Fix IPFORWARD to remote to work on ip_input path too o Undo the move of all IP options functions to their own source file o Make IPDIVERT a loadable kernel module (later) My goal is to get this stuff into 5.3R before the code freeze. ---------------------------------------------------------------------------------- Anyone wanting to give the patch a try, feel free to do so and report back the problems or success stories! (Except for Layer2/bridging IPFW which does not work in the above patch). ---------------------------------------------------------------------------------- -- Andre