From owner-freebsd-hackers Wed May 7 11:55:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA08145 for hackers-outgoing; Wed, 7 May 1997 11:55:37 -0700 (PDT) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA08138 for ; Wed, 7 May 1997 11:55:34 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id LAA05473; Wed, 7 May 1997 11:54:56 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma005467; Wed May 7 11:54:27 1997 Received: (from archie@localhost) by bubba.whistle.com (8.7.5/8.6.12) id LAA01477; Wed, 7 May 1997 11:54:27 -0700 (PDT) From: Archie Cobbs Message-Id: <199705071854.LAA01477@bubba.whistle.com> Subject: Re: divert still broken? In-Reply-To: <5kpbbn$j4n@news.itfs.nsk.su> from "Nickolay N. Dudorov" at "May 7, 97 07:35:19 am" To: nnd@info.itfs.nsk.su (Nickolay N. Dudorov) Date: Wed, 7 May 1997 11:54:27 -0700 (PDT) Cc: hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > Anything else? :-) > > Can it be possible to extend 'negative' comparison > logic to other filter components f.e. > > add 4032 deny all from xxx.xxx.xxx.0 to any out via not cx0 > (or not via cx0 ?) > > Currently this is possible for src and dst addresses (and there > is no more available flag bits ;-) The biggest problem I've had is that setsockopt() limits the argument to 108 bytes (which is MLEN - ie., the size of an mbuf minus the header). Right now sizeof(struct ip_fw) == 108, so there's no more room. The flags words is 16 bits and it's all used up as well. Question: would it be possible to move to an ioctl() based system instead of setsockopt()? Since kernel malloc() allocates things in powers of two, struct ip_fw could then expand up to 128 bytes without using up any more kernel memory. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com