From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 19 14:05:50 2012 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 39DB93EA for ; Fri, 19 Oct 2012 14:05:50 +0000 (UTC) (envelope-from oppermann@networx.ch) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id 9941F8FC08 for ; Fri, 19 Oct 2012 14:05:48 +0000 (UTC) Received: (qmail 35725 invoked from network); 19 Oct 2012 15:44:32 -0000 Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 19 Oct 2012 15:44:32 -0000 Message-ID: <50815E36.6010703@networx.ch> Date: Fri, 19 Oct 2012 16:05:42 +0200 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121010 Thunderbird/16.0.1 MIME-Version: 1.0 To: "Andrey V. Elsukov" Subject: Re: [RFC] Enabling IPFIREWALL_FORWARD in run-time References: <508138A4.5030901@FreeBSD.org> <50814166.1000602@networx.ch> <50814523.2070002@FreeBSD.org> In-Reply-To: <50814523.2070002@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org, net@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2012 14:05:50 -0000 On 19.10.2012 14:18, Andrey V. Elsukov wrote: > On 19.10.2012 16:02, Andre Oppermann wrote:>> > http://people.freebsd.org/~ae/pfil_forward.diff >>> >>> Also we have done some tests with the ixia traffic generator connected >>> via 10G network adapter. Tests have show that there is no visible >>> difference, and there is no visible performance degradation. >>> >>> Any objections? >> >> No objection as such. However I don't entirely agree with the >> naming of pfil_forward. The functionality is specific to IPFW >> and TCP, it's doing transparent interjected termination of tcp >> connections on the local host while keeping the original IP >> addresses and port numbers visible in netstat output. >> >> So it's a feature of IPFW/IP and should be fitted in there for >> sysctl name and .h files instead of pfil. > > Actually it can be used not only by ipfw. We already have > net.inet.ip.forwarding and net.inet6.ip6.forwarding variables, and > placing it into net.inet.ip.fw is undesirable, because we can have > kernel without ipfw. So, i decided to choose pfil, because it could not > work without pfil. Again, it's not a property of pfil. It's a property of IP and it should live there from a configuration point of view. Other firewalls than ipfw don't make use of it. You could rename it to transparent connection proxy or some such. -- Andre