Date: Mon, 8 Mar 2004 20:22:36 -0800 (PST) From: darrenr@FreeBSD.ORG (Darren Reed) To: Sam Leffler <sam@errno.com> Cc: cvs-src@FreeBSD.org Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.hif_pfsync.c src/sys/contrib/pf/netinet in4_cksum.c Message-ID: <20040309042236.600F916A4CF@hub.freebsd.org> In-Reply-To: <565913D0-68E2-11D8-AE91-000A95AD0668@errno.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail I received from Sam Leffler, sie wrote > > I made two attempts to eliminate all the ipfw-, dummmynet-, and > bridge-specific code in the ip protocols but never got stuff to the > point where I was willing to commit it. My main motivation for doing > this was to eliminate much of the incestuous behaviour so that you > could reason about locking requirements but there were other benefits > (e.g. I was also trying to make the ip code more "firewall agnostic"). > The changes involved replacing the well-known function pointers with > PFIL_HOOKS, restructuring code and API's so non-ip code could move out > of the ip protocol code, and the elimination of MT_TAG mbufs. Max > followed through getting the latter committed (thanks, great work!) and > I hope to return to this when I've got free time. If it helps, Sam, you've got my support in doing this :) I had a go at doing this and I think the summary was: - build a wrapper function for ipfw - change the pfil interface from the network stack to include an extra parameter with all the guff for ipfw And through the use of the wrappers, there was no need to change ipfw or ipfilter code. I suppose that sounds easy (for the casual reader) but that's like all things that look easy :) If you want help with this, just hollar. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040309042236.600F916A4CF>