Date: Thu, 8 May 1997 09:18:28 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: archie@whistle.com (Archie Cobbs) Cc: nnd@info.itfs.nsk.su, hackers@FreeBSD.ORG Subject: Re: divert still broken? Message-ID: <199705072320.QAA24394@hub.freebsd.org> In-Reply-To: <199705071854.LAA01477@bubba.whistle.com> from "Archie Cobbs" at May 7, 97 11:54:27 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Archie Cobbs, sie said: > > > > > Anything else? :-) > > > > Can it be possible to extend 'negative' comparison > > logic to other filter components f.e. > > > > add 4032 deny all from xxx.xxx.xxx.0 to any out via not cx0 > > (or not via cx0 ?) > > > > Currently this is possible for src and dst addresses (and there > > is no more available flag bits ;-) > > The biggest problem I've had is that setsockopt() limits the argument > to 108 bytes (which is MLEN - ie., the size of an mbuf minus the header). > Right now sizeof(struct ip_fw) == 108, so there's no more room. > > The flags words is 16 bits and it's all used up as well. > > Question: would it be possible to move to an ioctl() based system instead > of setsockopt()? IP Filter does it that way :) Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705072320.QAA24394>