Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 Aug 2002 14:30:56 -0700
From:      Luigi Rizzo <rizzo@icir.org>
To:        Julian Elischer <julian@elischer.org>
Cc:        ipfw@FreeBSD.ORG
Subject:   Re: RFC: new mbuf flag bit needed
Message-ID:  <20020815143056.A31621@iguana.icir.org>
In-Reply-To: <Pine.BSF.4.21.0208151403010.27476-100000@InterJet.elischer.org>; from julian@elischer.org on Thu, Aug 15, 2002 at 02:03:45PM -0700
References:  <20020815121002.D30190@iguana.icir.org> <Pine.BSF.4.21.0208151403010.27476-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Thu, Aug 15, 2002 at 02:03:45PM -0700, Julian Elischer wrote:
...
> > So, i do _not_ want a protocol-specific bit because the info i need
> > is not protocol-specific and goes to a non-protocol-specific module.
> 
> how does ipfw2 connect with appletalk?
> it really IS a protocol specific hack..

yes it does.
From the manpage:

     ipfw can be invoked from multiple places in the protocol stack, under
     control of several system parameters, and it is important to understand
     when this occurs in order to design a proper ruleset. The places where
     ipfw is invoked are listed below, together with the sysctl variables
     which control its invocation.

                 ^     to upper layers   V
                 |                       |
                 +----------->-----------+
                 ^                       V
            [ip_input]              [ip_output]   net.inet.ip.fw.enable=1
                 |                       |
                 ^                       V
           [ether_demux]    [ether_output_frame]  net.link.ether.ipfw=1
                 |                       |
                 +-->--[bdg_forward]-->--+        net.link.ether.bridge_ipfw=1
                 ^                       V
                 |      to devices       |


and also

     The general rule body format is one of the following:

           proto from src to dst [options]
           MAC dst-mac src-mac [mac-type] [from src to dst] [options]

     where fields have the following meaning:

Mostly, ipfw2 is designed so that you can add protocol-specific checks.
MAC header filtering is only the first one after IPv4; i suppose soon we will
have ipv6, and then maybe pppoe.

	cheers
	luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020815143056.A31621>