From owner-freebsd-net Mon May 1 13:33:30 2000 Delivered-To: freebsd-net@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 26AD837BCB6 for ; Mon, 1 May 2000 13:23:17 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id NAA93590; Mon, 1 May 2000 13:21:43 -0700 (PDT) From: Archie Cobbs Message-Id: <200005012021.NAA93590@bubba.whistle.com> Subject: Re: ether matching in ipfw?? In-Reply-To: <200005012003.WAA46626@info.iet.unipi.it> from Luigi Rizzo at "May 1, 2000 10:03:07 pm" To: luigi@info.iet.unipi.it (Luigi Rizzo) Date: Mon, 1 May 2000 13:21:43 -0700 (PDT) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Luigi Rizzo writes: > > In trying to clean up this bridging stuff, I just realized that > > ip_fw_chk() contains code for matching Ethernet headers and > > non IP packets! > > > > This hack is just too gross and I plan to rip it out. > > Call me Danish if you like. > > yes it was a gross, and, especially, unfinished hack, and you are > welcome to rip it out. I should have done it myself long ago. > > HOWEVER: for the future re-inclusion I would be a strong advocate > of a unified firewall interface rather than separate things > (etherfw, ipfw). The reason is because at times one might want > to interleave rules matching ethernet headers, ip headers, tcp > headers, and having separate filters does not support this. Yes, I think that's a good idea. Seems like a good approach would be to have separate per-layer filtering in the kernel implementation, with a nice intuitive unified userland view. > > Does the "ip" in "ipfw" not mean anything to anyone?? > > for what matters we are already matching TCP flags which are > one layer above IP... True.. if we did things properly we'd have different filtering engines at each level. This would not be too hard to acomplish using netgraph by providing 'stub' hooks at the appropriate points in the networking stack. It should all have a nice unified userland view of course. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message