Date: Thu, 23 Apr 1998 16:42:17 +0200 From: Eivind Eklund <eivind@yes.no> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: hackers@FreeBSD.ORG Subject: Re: changing ipfw interface (was Re: cvs commit: src/sys/netinet ip_fw.c) Message-ID: <19980423164217.62057@follo.net> In-Reply-To: <199804231432.OAA03248@ns1.yes.no>; from Darren Reed on Fri, Apr 24, 1998 at 12:33:46AM %2B1000 References: <19980423144259.57155@follo.net> <199804231432.OAA03248@ns1.yes.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 24, 1998 at 12:33:46AM +1000, Darren Reed wrote: > In some mail from Eivind Eklund, sie said: > > On Thu, Apr 23, 1998 at 10:12:54PM +1000, darrenr@reed.wattle.id.au wrote: > > > In some email I received from Eivind Eklund, sie wrote: > > > [...] > > > > Well, what do you think? > > > > > > To me, it seems that it is effectively duplicating the BPF code, > > > > I don't understand why you see this change as really related to BPF. > > This is _not_ in any way duplicating BPF - this is just another way of > > passing the IPFW rules over the userland/kernel boundary. > > Well, to me, it looks like you're using a system call to tell IPFW in what > order to examine X bytes, and making up a filter of a sequence of these > commands, rather than giving it a complete rule. Ah - no. The way this is intended to work is 1. Create a rule in the kernel, of the default type (probably a deny rule matching 0.0.0.0/0 in both directions). The ID for this rule is passed back to the userland. 2. The userland does one or more calls to the kernel to modify the rule just created - e.g, 'match source address 192.168.1.14', 'match source port 53', 'match UDP', 'set to allow'. 3. The userland process 'commits' the finished rule. Basically, instead of building a full IPFW rule structure in userland and passing it over the userland/kernel boundary in one piece, each field of the structure is passed over the boundary tagged as being that field, and the structure is assembled in the kernel. Fields not included in the list of tagged fields are left as their default values. Am I making myself clear here? Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980423164217.62057>