From owner-cvs-src@FreeBSD.ORG Thu Feb 26 21:03:52 2004 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBEE216A4CE; Thu, 26 Feb 2004 21:03:52 -0800 (PST) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3007343D1F; Thu, 26 Feb 2004 21:03:52 -0800 (PST) (envelope-from sam@errno.com) Received: from [66.127.85.92] ([66.127.85.92]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.9) with ESMTP id i1R53n5D009791 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Thu, 26 Feb 2004 21:03:50 -0800 (PST) (envelope-from sam@errno.com) In-Reply-To: <20040226071123.A31631@xorpc.icir.org> References: <200402260234.i1Q2YDx1014240@repoman.freebsd.org> <20040226060126.GA70201@troutmask.apl.washington.edu> <20040226080517.GA29763@cat.robbins.dropbear.id.au> <20040226015016.B23674@xorpc.icir.org> <403DC956.8EA364B2@freebsd.org> <20040226071123.A31631@xorpc.icir.org> Mime-Version: 1.0 (Apple Message framework v609) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <565913D0-68E2-11D8-AE91-000A95AD0668@errno.com> Content-Transfer-Encoding: 7bit From: Sam Leffler Date: Thu, 26 Feb 2004 21:03:52 -0800 To: Luigi Rizzo X-Mailer: Apple Mail (2.609) cc: Max Laier cc: Andre Oppermann cc: Steve Kargl cc: cvs-src@FreeBSD.org cc: cvs-all@FreeBSD.org cc: src-committers@FreeBSD.org cc: Tim Robbins Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 05:03:53 -0000 On Feb 26, 2004, at 7:11 AM, Luigi Rizzo wrote: > On Thu, Feb 26, 2004 at 11:24:22AM +0100, Andre Oppermann wrote: >> Luigi, >> >> do you have any patches ready or in the works to make ipfw2 use the >> PFIL_HOOKS API? That would simplify ip_input() and ip_output() a >> *great* deal. > > no, i will try to look and see if i can implement something of use. > But i don't think you'd save much more than the extra call to > ip_fw_chk() -- things such as 'divert' and 'forward' > greatly interact with the rest of the packet processing in ip_input() > and ip_output(). If you look at the code, calling > the firewall is a short block of code; the big offender is the > processing after the firewall returns with a non-trivial action > (especially 'forward' in ip_output()). I made two attempts to eliminate all the ipfw-, dummmynet-, and bridge-specific code in the ip protocols but never got stuff to the point where I was willing to commit it. My main motivation for doing this was to eliminate much of the incestuous behaviour so that you could reason about locking requirements but there were other benefits (e.g. I was also trying to make the ip code more "firewall agnostic"). The changes involved replacing the well-known function pointers with PFIL_HOOKS, restructuring code and API's so non-ip code could move out of the ip protocol code, and the elimination of MT_TAG mbufs. Max followed through getting the latter committed (thanks, great work!) and I hope to return to this when I've got free time. Sam