Date: Tue, 20 Jul 2004 01:09:05 +0000 From: Darren Reed <darrenr@hub.freebsd.org> To: Max Laier <max@love2party.net> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw2.c src/sys/sys mbuf.h Message-ID: <20040720010905.GB63588@hub.freebsd.org> In-Reply-To: <200407170538.14572.max@love2party.net> References: <200407170240.i6H2eEHO021683@repoman.freebsd.org> <200407170538.14572.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 17, 2004 at 05:38:07AM +0200, Max Laier wrote: > On Saturday 17 July 2004 04:40, Juli Mallett wrote: > > Log: > > Make M_SKIP_FIREWALL a global (and semantic) flag, preventing anything > > from using M_PROTO6 and possibly shooting someone's foot, as well as > > allowing the firewall to be used in multiple passes, or with a packet > > classifier frontend, that may need to explicitly allow a certain packet. > > Presently this is handled in the ipfw_chk code as before, though I have run > > with it moved to upper layers, and possibly it should apply to ipfilter and > > pf as well, though this has not been investigated. > > pf does something to the same effect by prepending a mbuf with the > "PACKET_TAG_PF_GENERATED" mbuf_tag to skip processing for its own packets. If > we can agree that the presence of M_SKIP_FIREWALL is copied to icmp error > messages I will happily replace the mbuf tag with the more general flag > (which will perform significantly better, I believe). Please tell me what you > think of this. Hmmm...personally, I think it is better if firewall packages only ignore what they've generated themselves. If you're using multiple ones together, you may wish to use one as a gap filler that is able to manage the "output" of another. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040720010905.GB63588>