From owner-freebsd-ipfw@FreeBSD.ORG  Fri Oct 19 20:06:30 2012
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 160597AE;
 Fri, 19 Oct 2012 20:06:30 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 by mx1.freebsd.org (Postfix) with ESMTP id D70C88FC08;
 Fri, 19 Oct 2012 20:06:29 +0000 (UTC)
Received: from JRE-MBP-2.local (c-50-143-149-146.hsd1.ca.comcast.net
 [50.143.149.146]) (authenticated bits=0)
 by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id q9JK6L8K068127
 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
 Fri, 19 Oct 2012 13:06:23 -0700 (PDT)
 (envelope-from julian@freebsd.org)
Message-ID: <5081B2BD.3090103@freebsd.org>
Date: Fri, 19 Oct 2012 13:06:21 -0700
From: Julian Elischer <julian@freebsd.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
 rv:16.0) Gecko/20121010 Thunderbird/16.0.1
MIME-Version: 1.0
To: "Andrey V. Elsukov" <ae@freebsd.org>
Subject: Re: [RFC] Enabling IPFIREWALL_FORWARD in run-time
References: <508138A4.5030901@FreeBSD.org>
In-Reply-To: <508138A4.5030901@FreeBSD.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: ipfw@freebsd.org, net@freebsd.org
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2012 20:06:30 -0000

On 10/19/12 4:25 AM, Andrey V. Elsukov wrote:
> Hi All,
>
> Many years ago i have already proposed this feature, but at that time
> several people were against, because as they said, it could affect
> performance. Now, when we have high speed network adapters, SMP kernel
> and network stack, several locks acquired in the path of each packet,
> and i have an ability to test this in the lab.
>
> So, i prepared the patch, that removes IPFIREWALL_FORWARD option from
> the kernel and makes this functionality always build-in, but it is
> turned off by default and can be enabled via the sysctl(8) variable
> net.pfil.forward=1.
>
> 	http://people.freebsd.org/~ae/pfil_forward.diff
>
> Also we have done some tests with the ixia traffic generator connected
> via 10G network adapter. Tests have show that there is no visible
> difference, and there is no visible performance degradation.
>
> Any objections?
>
NO objection from me..
It was always my intention to "some day" either make it standard, OR 
at least default it to 'on'.

looks ot me as if a couple of your 'goto's might just be changed to  {}