From owner-freebsd-net@FreeBSD.ORG  Sat Dec 16 09:15:22 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 547AB16A5C6
	for <freebsd-net@freebsd.org>; Sat, 16 Dec 2006 09:15:21 +0000 (UTC)
	(envelope-from andre@freebsd.org)
Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9B13743CAB
	for <freebsd-net@freebsd.org>; Sat, 16 Dec 2006 09:15:02 +0000 (GMT)
	(envelope-from andre@freebsd.org)
Received: (qmail 2894 invoked from network); 16 Dec 2006 09:01:47 -0000
Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2])
	(envelope-sender <andre@freebsd.org>)
	by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP
	for <max@love2party.net>; 16 Dec 2006 09:01:47 -0000
Message-ID: <4583B919.8030008@freebsd.org>
Date: Sat, 16 Dec 2006 10:15:05 +0100
From: Andre Oppermann <andre@freebsd.org>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: Max Laier <max@love2party.net>
References: <457DCD47.5090004@elischer.org>
	<200612120045.41425.max@love2party.net>
	<4583119B.20608@elischer.org>
	<200612160446.02644.max@love2party.net>
In-Reply-To: <200612160446.02644.max@love2party.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org, Julian Elischer <julian@elischer.org>
Subject: Re: addition to ipfw..
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Dec 2006 09:15:22 -0000

Max Laier wrote:
> I don't like the implementation for this reason.  It feels hackish to me.  
> What is the reason that you didn't duplicate the ethernet header approach 
> in ip_fw_pfil.c?  Speed?  Did you measure?  It is certainly easier to 
> properly strip off the vlan header in the pfil hook code and reattach it 
> when done (or trust the hardware to do it - if M_VLANTAG was set in the 
> first place).
> 
> As an aside, I agree that the mtod mania isn't that great either and we 
> should probably do away with it.  But that's orthogonal to the vlan 
> handling - I just don't like that to be pulled into *IP*fw.  This might 
> just be me, however.

IMO we should split IPFW into two parts (at least logically), one for
*IP* firewalling, as you say, and one for Ethernet firewalling.  With
different not-intermixed rulesets.  /sbin/ipfw could get a hardlink to
/sbin/efw to do the ethernet rules display and manipulation.  Note that
this is a different thing from the etherbridge stuff where a layer 2
frame is inspected and turned temporarily into a layer 3 IP packet for
inspection on the IP layer.

-- 
Andre