From owner-freebsd-ipfw  Thu Aug 15 14:40:33 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 32CB337B744
	for <ipfw@FreeBSD.ORG>; Thu, 15 Aug 2002 14:39:48 -0700 (PDT)
Received: from iguana.icir.org (iguana.icir.org [192.150.187.36])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E21C5442EF
	for <ipfw@FreeBSD.ORG>; Thu, 15 Aug 2002 14:31:43 -0700 (PDT)
	(envelope-from rizzo@iguana.icir.org)
Received: (from rizzo@localhost)
	by iguana.icir.org (8.11.6/8.11.3) id g7FLUuK31932;
	Thu, 15 Aug 2002 14:30:56 -0700 (PDT)
	(envelope-from rizzo)
Date: Thu, 15 Aug 2002 14:30:56 -0700
From: Luigi Rizzo <rizzo@icir.org>
To: Julian Elischer <julian@elischer.org>
Cc: ipfw@FreeBSD.ORG
Subject: Re: RFC: new mbuf flag bit needed
Message-ID: <20020815143056.A31621@iguana.icir.org>
References: <20020815121002.D30190@iguana.icir.org> <Pine.BSF.4.21.0208151403010.27476-100000@InterJet.elischer.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <Pine.BSF.4.21.0208151403010.27476-100000@InterJet.elischer.org>; from julian@elischer.org on Thu, Aug 15, 2002 at 02:03:45PM -0700
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

On Thu, Aug 15, 2002 at 02:03:45PM -0700, Julian Elischer wrote:
...
> > So, i do _not_ want a protocol-specific bit because the info i need
> > is not protocol-specific and goes to a non-protocol-specific module.
> 
> how does ipfw2 connect with appletalk?
> it really IS a protocol specific hack..

yes it does.
From the manpage:

     ipfw can be invoked from multiple places in the protocol stack, under
     control of several system parameters, and it is important to understand
     when this occurs in order to design a proper ruleset. The places where
     ipfw is invoked are listed below, together with the sysctl variables
     which control its invocation.

                 ^     to upper layers   V
                 |                       |
                 +----------->-----------+
                 ^                       V
            [ip_input]              [ip_output]   net.inet.ip.fw.enable=1
                 |                       |
                 ^                       V
           [ether_demux]    [ether_output_frame]  net.link.ether.ipfw=1
                 |                       |
                 +-->--[bdg_forward]-->--+        net.link.ether.bridge_ipfw=1
                 ^                       V
                 |      to devices       |


and also

     The general rule body format is one of the following:

           proto from src to dst [options]
           MAC dst-mac src-mac [mac-type] [from src to dst] [options]

     where fields have the following meaning:

Mostly, ipfw2 is designed so that you can add protocol-specific checks.
MAC header filtering is only the first one after IPv4; i suppose soon we will
have ipv6, and then maybe pppoe.

	cheers
	luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message