From owner-freebsd-bugs@FreeBSD.ORG  Tue Sep 30 14:50:29 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D94F516A4BF
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 30 Sep 2003 14:50:28 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7DC7343FF3
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 30 Sep 2003 14:50:26 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h8ULoQFY059961
	for <freebsd-bugs@freefall.freebsd.org>;
	Tue, 30 Sep 2003 14:50:26 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h8ULoQvY059960;
	Tue, 30 Sep 2003 14:50:26 -0700 (PDT)
	(envelope-from gnats)
Resent-Date: Tue, 30 Sep 2003 14:50:26 -0700 (PDT)
Resent-Message-Id: <200309302150.h8ULoQvY059960@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, ale@unixmania.net
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 78FEB16A4D8
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 30 Sep 2003 14:44:06 -0700 (PDT)
Received: from mail.dada.it (mail3.dada.it [195.110.100.3])
	by mx1.FreeBSD.org (Postfix) with SMTP id CDF3743FA3
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 30 Sep 2003 14:44:04 -0700 (PDT)
	(envelope-from ale@unixmania.net)
Received: (qmail 31947 invoked from network); 30 Sep 2003 21:44:00 -0000
Received: from unknown (HELO libero.sunshine.ale) (195.110.114.252)
  by mail.dada.it with SMTP; 30 Sep 2003 21:44:00 -0000
Received: by libero.sunshine.ale (Postfix, from userid 1001)
	id 35EDE5F7D; Tue, 30 Sep 2003 23:43:58 +0200 (CEST)
Message-Id: <20030930214358.35EDE5F7D@libero.sunshine.ale>
Date: Tue, 30 Sep 2003 23:43:58 +0200 (CEST)
From: ale@unixmania.net
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/57428: a couple of new sysctl to toggle which IP firewall
	(IPFW or IPF) would process packets first
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: ale@unixmania.net
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2003 21:50:29 -0000


>Number:         57428
>Category:       kern
>Synopsis:       a couple of new sysctl to toggle which IP firewall (IPFW or IPF) would process packets first
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 30 14:50:26 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Alessandro de Manzano
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
n/a
>Environment:
System: FreeBSD libero.sunshine.ale 4.7-STABLE FreeBSD 4.7-STABLE #6: Mon Oct 14 10:22:28 CEST 2002 root@libero.sunshine.ale:/usr/obj/usr/src/sys/LIBERO i386


	
>Description:
	Sometimes in my job as netadmin I found possibility to choose
	which IP firewall, among IPFW(2) and IPFilter, would process packets
	first would be a very useful thing. Think about complex firewall
	rules where a single IP firewall is not enough because of very good
	NAT capabilities of IPF and/or fine bandwidth control of IPFW.
	By default FreeBSD kernel process IPFilter hooks before IPFW ones.
	The attached patch, while style(9)-istically absolutely horrible ;),
	allow toggle such default for both input and output packets.
	Few days of test on a moderately load home server said it seems
	to work as expected, but it defintely need more testing.

	
>How-To-Repeat:
	
>Fix:

	

begin 644 ippatches.tgz
M'XL(`##V>3\``^U6_4_C-ACFU_:O>.].@M*D;9Q^!,I=!>-CJ\8`'4RG:9JB
MD#@7JVD2V2X=VMW_OM=.2DN!P4UBTR8_4EO7?NV\?OSF><P*GV7%3+:+0(;)
MQJO`(8XSZ/4V',<A7I^L_CJZ[0XV',_K#KJ>ZWG83URG-]@`YW72N8^9D`$'
MV`A2^I=QSXW_1]%JM:##\UQVV*(2PMI/>0:7M`#8`;(S[`V&?0=<Q^G6+<N"
M)^)VAZX[=`=EW/X^M,CNP!Z`I7Z(`_O[=5#89(60-$AE8H-CP]NWVWMU>$>S
MB,5UJ%MX&)*%P#)98T4\QR?Y,>-"P@=P]NK6Y2^7AU>G_OCLJN%G5.*P^BIL
M.!\?^0<_7YW;<&^:#1A^<GKPO?_QDUVW:IMKHXL,+'PV=)IPPCB=!VD*29Y/
M!#0[=;5=G!(F$U]"<_FGD'Q/;[/7VU7;[/6[MJ=W68,F'"8TG`"+84YA'F02
M9`ZX;#X'F3`!11!.J.Z\IE#P/*1"T*A=S<TSP2+*@2TBKH-(K97EL@SIX$[P
M?V.-(:1H&_[`"#46<TP3DRC*KIJ0?!;*VO1Z%M>:4X)\3I'X<@=]?5"]`5GL
MH%;C5,YXMJ?:K%#!,H\:4]4@-I1K(3/05*=7^XKY?%T\=^[3++A.*6QNPOCB
MY)-_>GYP='Q4I=%IJF_<Y5AQLW6#FZ,T@SCG\X!'-(*8YU,DB4(^DUADH*BP
M54=6YKKKJ5S[3M<F_2K99:Z81!$(,7R4GS<5/U;M(4'8]SA#EAY2\8WF<D9#
ME5R2TLR&:6LT]8N)3"+>YN$-BW51;4[)-GSY`F_P5Z]PEZ1>[AE&,::B%/>D
M&4/"+LHR@;R0#"L$@BRRJZJ`B`J)KT*D>(29L.LO?_^QHDNF7]$`GM%_=T"<
MA?YW';>O]-_M$J/__P3NZ7]5"0^$G0P=]YX!/!'8\X:NLW2`OJO?5;>2E7<L
M"]-91.&]N!4=D2L-;">CQP=N`O[(F-)*U6VM3;D5H4QU_.H,-(<.B]>649T<
M\Z>J7_L4<;1/$6(3HA.M`_U=4IY5DJ`46N9B#LIMQ/S7W_;N.Y7VM=)W<-V_
MY5=W\]8,"RILKD<MC>LN1AD8>BQ*ZT4EGFV`*U32RFU8!DK;($P"U80PSR2V
M4$E`3&A*99#B5+U"0@-E0(TYDPEHF<MC%#8I4[LD`]NY0-GBH0V1D-MMS:3G
M:"/QB+MBA2WXQ(-B"'$P6:2RA<^,(MXI<B[A_2QCTR)MCQ;AQUD8%&*6!I(.
M05D`T[D'*'0))H6[0^D#@5<&M<UVM4`UOP.KVK]R'"\P1RCY0:P9I$>4MUN>
MZ]@["X/\C"Q`E&?TQ1[9TI)NU58TO;PF:):5Y<75[:/=KJX"U[A[I>_E12+@
M^$DYGLTMNB;+/D,\C[8JRPR6LW7.NSU]%KO]GDT&9=+:3Q[XXY*CEQGD(RRM
MF"3E'"WH`SSAEBS&)BG]<<T@5PC])H^T-)]`7*^S`U-4<\U84!0491W5:8ZT
M8%5]/#DD:"MM?:<K<\UDGJ287&N$BH95W!:^*LMM&(U@?.8?GAY<7A[X9Y<_
MC$^NME4%8>?I^?G%=P>'/YX=7V'ZZI00]U?"E^(;5U($_]L^8&!@8&!@8&!@
<8&!@8&!@8&!@8&!@8&!@8/#_P)\7JBNT`"@`````
`
end


>Release-Note:
>Audit-Trail:
>Unformatted: