From owner-freebsd-hackers@FreeBSD.ORG  Fri Jan 16 01:27:11 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 22AE616A4CE; Fri, 16 Jan 2004 01:27:11 -0800 (PST)
Received: from gvr.gvr.org (gvr-gw.gvr.org [80.126.103.228])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8E35143D68; Fri, 16 Jan 2004 01:27:09 -0800 (PST)
	(envelope-from guido@gvr.org)
Received: by gvr.gvr.org (Postfix, from userid 657)
	id ED31E5F; Fri, 16 Jan 2004 10:27:08 +0100 (CET)
Date: Fri, 16 Jan 2004 10:27:08 +0100
From: Guido van Rooij <guido@gvr.org>
To: Robert Watson <rwatson@freebsd.org>
Message-ID: <20040116092708.GA203@gvr.gvr.org>
References: <40070D9E.6060407@inodes.us>
	<Pine.NEB.3.96L.1040115170208.74950B-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.NEB.3.96L.1040115170208.74950B-100000@fledge.watson.org>
cc: Matt Freitag <mpf@inodes.us>
cc: freebsd-hackers@freebsd.org
Subject: Re: 5.1->5.2
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jan 2004 09:27:12 -0000

On Thu, Jan 15, 2004 at 05:04:59PM -0500, Robert Watson wrote:
> 
> IPFILTER now relies on the PFIL_HOOKS kernel option; this is something
> that is somewhat poorly documented, and we should add it to the errate I
> suspect.  If you add "options PFIL_HOOKS" to your kernel config, it should
> work.  Moving to PFIL_HOOKS for all the "funky IP input/ouput" feature is
> a goal for 5.3 (in fact, I believe Sam has it almost entirely done in one
> of his development branches), and should both simplify the input/output
> paths, and also simplify locking for the IP stack.  So the change is for a
> good cause :-).
> 

That reminds me: is there a way to influence the order in which
the various packages are hooked up? E.g. I can imagine
a situation where you want IPfilter NATting and ipfw filtering.
In such a scenario you want to be able to specify _exactly_
that ipfilter comes before ipfw when packets come in, and vice
versa when packets go out.

-Guido