From owner-cvs-src@FreeBSD.ORG Tue Jul 20 01:45:04 2004 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CD5616A4CE; Tue, 20 Jul 2004 01:45:04 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDA4843D41; Tue, 20 Jul 2004 01:45:03 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.209] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Bmjgk-0004pN-00; Tue, 20 Jul 2004 03:45:02 +0200 Received: from [217.227.159.171] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1Bmjgk-0004ag-00; Tue, 20 Jul 2004 03:45:02 +0200 From: Max Laier To: Darren Reed Date: Tue, 20 Jul 2004 03:42:40 +0200 User-Agent: KMail/1.6.2 References: <200407170240.i6H2eEHO021683@repoman.freebsd.org> <200407170538.14572.max@love2party.net> <20040720010905.GB63588@hub.freebsd.org> In-Reply-To: <20040720010905.GB63588@hub.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_XiH/ASio7LwAFSZ"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200407200342.47359.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Juli Mallett cc: cvs-src@FreeBSD.org cc: src-committers@FreeBSD.org cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw2.c src/sys/sys mbuf.h X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jul 2004 01:45:04 -0000 --Boundary-02=_XiH/ASio7LwAFSZ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 20 July 2004 03:09, Darren Reed wrote: > On Sat, Jul 17, 2004 at 05:38:07AM +0200, Max Laier wrote: > > On Saturday 17 July 2004 04:40, Juli Mallett wrote: > > > Log: > > > Make M_SKIP_FIREWALL a global (and semantic) flag, preventing > > > anything from using M_PROTO6 and possibly shooting someone's foot, as > > > well as allowing the firewall to be used in multiple passes, or with a > > > packet classifier frontend, that may need to explicitly allow a certa= in > > > packet. Presently this is handled in the ipfw_chk code as before, > > > though I have run with it moved to upper layers, and possibly it shou= ld > > > apply to ipfilter and pf as well, though this has not been > > > investigated. > > > > pf does something to the same effect by prepending a mbuf with the > > "PACKET_TAG_PF_GENERATED" mbuf_tag to skip processing for its own > > packets. If we can agree that the presence of M_SKIP_FIREWALL is copied > > to icmp error messages I will happily replace the mbuf tag with the more > > general flag (which will perform significantly better, I believe). Plea= se > > tell me what you think of this. > > Hmmm...personally, I think it is better if firewall packages only ignore > what they've generated themselves. > > If you're using multiple ones together, you may wish to use one as a gap > filler that is able to manage the "output" of another. That is one of the reasons I do not agree with Juli to handle M_SKIP_FIREWA= LL=20 in the upper-layer. Every packet filter should still have to option to say,= =20 "Okay, want me to skip? ... I don't care" (because the admin did configure = me=20 this way). Still it is sensible to have a global way to do it in order to=20 allow things (in other parts of the kernel) that are hard to describe by=20 firewall rules. Moreover, nothing prevents ipfilter from adding more magic = to=20 the mbuf in order to identify it as it's own (e.g. mbuf_tag), but now you=20 have the additional benefit that you can *hint* the others that this is=20 something that they *should*(!=3D must) not molest. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-02=_XiH/ASio7LwAFSZ Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBA/HiXXyyEoT62BG0RAtF0AJwME7p5RA/tl3WGFyFcieUilmEhlQCeM3Ji urMf91v5B0uWvLboNRE+9yg= =g+5t -----END PGP SIGNATURE----- --Boundary-02=_XiH/ASio7LwAFSZ--