From owner-cvs-all  Wed Apr 22 06:52:04 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA14072
          for cvs-all-outgoing; Wed, 22 Apr 1998 06:52:04 -0700 (PDT)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.119.24.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA13957;
          Wed, 22 Apr 1998 13:51:40 GMT
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36])
	by ns1.yes.no (8.8.7/8.8.7) with ESMTP id NAA11343;
	Wed, 22 Apr 1998 13:51:35 GMT
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id PAA07320;
	Wed, 22 Apr 1998 15:51:34 +0200 (MET DST)
Message-ID: <19980422155133.57092@follo.net>
Date: Wed, 22 Apr 1998 15:51:33 +0200
From: Eivind Eklund <eivind@yes.no>
To: Julian Elischer <julian@whistle.com>
Cc: Julian Elischer <julian@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG,
        cvs-all@FreeBSD.ORG, cvs-sys@FreeBSD.ORG
Subject: Re: cvs commit: src/sys/netinet ip_fw.c
References: <199804211854.LAA01853@freefall.freebsd.org> <19980422000150.56907@follo.net> <353D2C41.1F1A7590@whistle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89.1i
In-Reply-To: <353D2C41.1F1A7590@whistle.com>; from Julian Elischer on Tue, Apr 21, 1998 at 04:31:13PM -0700
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

On Tue, Apr 21, 1998 at 04:31:13PM -0700, Julian Elischer wrote:
> Eivind Eklund wrote:
> > This still doesn't solve the problems with IPFW (foremost, that
> > extending the structure blow the userland interface).
> 
> why?
> if you recompile it with a new structure...

That's what I'm saying - it blow the userland interface.  It means
that anything using IPFW has to track the kernel version exactly.

> > We need a new interface - I proposed an interface to -hackers some
> > time back, and got exactly NO response :-(
> > 
> 
> I agree on the new interface, but the limit on the structure size
> was that each file rule had to fit into an mbuf.
> this removes that limit and should look identical to the user 
> land program.
> I was considering using IOCTLS instead..
> what was your suggestion?

In-kernel object building.  Basically, first an object is created in
the kernel with default values, and then the userland side send a set
of 'change field' requests, and at 'commit' the object is added to the
firewall chain.  I also added support for multiple firewall chains to
the interface, 'just in case'.

Copies of the original, detailed mail (200 lines) is available on
request (or I can re-send it to hackers).

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message