Date: Tue, 30 Sep 2003 23:43:58 +0200 (CEST) From: ale@unixmania.net To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/57428: a couple of new sysctl to toggle which IP firewall (IPFW or IPF) would process packets first Message-ID: <20030930214358.35EDE5F7D@libero.sunshine.ale> Resent-Message-ID: <200309302150.h8ULoQvY059960@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 57428 >Category: kern >Synopsis: a couple of new sysctl to toggle which IP firewall (IPFW or IPF) would process packets first >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Sep 30 14:50:26 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Alessandro de Manzano >Release: FreeBSD 4.7-STABLE i386 >Organization: n/a >Environment: System: FreeBSD libero.sunshine.ale 4.7-STABLE FreeBSD 4.7-STABLE #6: Mon Oct 14 10:22:28 CEST 2002 root@libero.sunshine.ale:/usr/obj/usr/src/sys/LIBERO i386 >Description: Sometimes in my job as netadmin I found possibility to choose which IP firewall, among IPFW(2) and IPFilter, would process packets first would be a very useful thing. Think about complex firewall rules where a single IP firewall is not enough because of very good NAT capabilities of IPF and/or fine bandwidth control of IPFW. By default FreeBSD kernel process IPFilter hooks before IPFW ones. The attached patch, while style(9)-istically absolutely horrible ;), allow toggle such default for both input and output packets. Few days of test on a moderately load home server said it seems to work as expected, but it defintely need more testing. >How-To-Repeat: >Fix: begin 644 ippatches.tgz M'XL(`##V>3\``^U6_4_C-ACFU_:O>.].@M*D;9Q^!,I=!>-CJ\8`'4RG:9JB MD#@7JVD2V2X=VMW_OM=.2DN!P4UBTR8_4EO7?NV\?OSF><P*GV7%3+:+0(;) MQJO`(8XSZ/4V',<A7I^L_CJZ[0XV',_K#KJ>ZWG83URG-]@`YW72N8^9D`$' MV`A2^I=QSXW_1]%JM:##\UQVV*(2PMI/>0:7M`#8`;(S[`V&?0=<Q^G6+<N" M)^)VAZX[=`=EW/X^M,CNP!Z`I7Z(`_O[=5#89(60-$AE8H-CP]NWVWMU>$>S MB,5UJ%MX&)*%P#)98T4\QR?Y,>-"P@=P]NK6Y2^7AU>G_OCLJN%G5.*P^BIL M.!\?^0<_7YW;<&^:#1A^<GKPO?_QDUVW:IMKHXL,+'PV=)IPPCB=!VD*29Y/ M!#0[=;5=G!(F$U]"<_FGD'Q/;[/7VU7;[/6[MJ=W68,F'"8TG`"+84YA'F02 M9`ZX;#X'F3`!11!.J.Z\IE#P/*1"T*A=S<TSP2+*@2TBKH-(K97EL@SIX$[P M?V.-(:1H&_[`"#46<TP3DRC*KIJ0?!;*VO1Z%M>:4X)\3I'X<@=]?5"]`5GL MH%;C5,YXMJ?:K%#!,H\:4]4@-I1K(3/05*=7^XKY?%T\=^[3++A.*6QNPOCB MY)-_>GYP='Q4I=%IJF_<Y5AQLW6#FZ,T@SCG\X!'-(*8YU,DB4(^DUADH*BP M54=6YKKKJ5S[3M<F_2K99:Z81!$(,7R4GS<5/U;M(4'8]SA#EAY2\8WF<D9# ME5R2TLR&:6LT]8N)3"+>YN$-BW51;4[)-GSY`F_P5Z]PEZ1>[AE&,::B%/>D M&4/"+LHR@;R0#"L$@BRRJZJ`B`J)KT*D>(29L.LO?_^QHDNF7]$`GM%_=T"< MA?YW';>O]-_M$J/__P3NZ7]5"0^$G0P=]YX!/!'8\X:NLW2`OJO?5;>2E7<L M"]-91.&]N!4=D2L-;">CQP=N`O[(F-)*U6VM3;D5H4QU_.H,-(<.B]>649T< M\Z>J7_L4<;1/$6(3HA.M`_U=4IY5DJ`46N9B#LIMQ/S7W_;N.Y7VM=)W<-V_ MY5=W\]8,"RILKD<MC>LN1AD8>BQ*ZT4EGFV`*U32RFU8!DK;($P"U80PSR2V M4$E`3&A*99#B5+U"0@-E0(TYDPEHF<MC%#8I4[LD`]NY0-GBH0V1D-MMS:3G M:"/QB+MBA2WXQ(-B"'$P6:2RA<^,(MXI<B[A_2QCTR)MCQ;AQUD8%&*6!I(. M05D`T[D'*'0))H6[0^D#@5<&M<UVM4`UOP.KVK]R'"\P1RCY0:P9I$>4MUN> MZ]@["X/\C"Q`E&?TQ1[9TI)NU58TO;PF:):5Y<75[:/=KJX"U[A[I>_E12+@ M^$DYGLTMNB;+/D,\C[8JRPR6LW7.NSU]%KO]GDT&9=+:3Q[XXY*CEQGD(RRM MF"3E'"WH`SSAEBS&)BG]<<T@5PC])H^T-)]`7*^S`U-4<\U84!0491W5:8ZT M8%5]/#DD:"MM?:<K<\UDGJ287&N$BH95W!:^*LMM&(U@?.8?GAY<7A[X9Y<_ MC$^NME4%8>?I^?G%=P>'/YX=7V'ZZI00]U?"E^(;5U($_]L^8&!@8&!@8&!@ <8&!@8&!@8&!@8&!@8&!@8/#_P)\7JBNT`"@````` ` end >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030930214358.35EDE5F7D>