Date: Tue, 22 Jun 2004 11:52:59 +0200 From: "Angelo Turetta" <aturetta@commit.it> To: <freebsd-current@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: New preview patch for ipfw to pfil_hooks conversion Message-ID: <006901c4583e$b651fe60$5a2ba8c0@lan> References: <40D754D5.1070805@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Andre Oppermann" <andre@freebsd.org> Sent: Monday, June 21, 2004 11:36 PM > This patch significantly cleans up ip_input.c and ip_output.c. > > The following is included in this patch: > > o Remove all ipfw related cruft from ip_input() and ip_output() > o New ip_fw_pfil.c file which contains all ipfw/pfil_hooks logic IIRC, I had once a problem with a mixed setup where I used IPFILTER NAT & IPFW DUMMYNET. Basically, there was an asymmetry in the order the two filters were called, because the code in ip_input.c called IPFILTER before entering the IPFW code, and ip_output.c did the same, while it should have called first IPFW then IPFILTER. (beware, it might have been the opposite WRT what was first in which function, I don't remember exactly). Does your new code take this ordering issue into account? I suppose it would be nice to be able to control the order filters are processed: I may like IPFW to be 'wrapping' IPFILTER (that is, called before it during input, and after it during output), while others might prefer the opposite. And anyway, am I right the filter list should be traversed in opposite directions during input versus output (maybe it's already so). Ciao, Angelo.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006901c4583e$b651fe60$5a2ba8c0>