From owner-cvs-sys Wed Apr 22 10:57:51 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA01909 for cvs-sys-outgoing; Wed, 22 Apr 1998 10:57:51 -0700 (PDT) (envelope-from owner-cvs-sys) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA01845; Wed, 22 Apr 1998 17:57:44 GMT (envelope-from julian@whistle.com) Received: (from daemon@localhost) by alpo.whistle.com (8.8.5/8.8.5) id KAA13935; Wed, 22 Apr 1998 10:54:38 -0700 (PDT) Received: from current1.whistle.com(207.76.205.22) via SMTP by alpo.whistle.com, id smtpd013932; Wed Apr 22 17:54:35 1998 Date: Wed, 22 Apr 1998 10:49:15 -0700 (PDT) From: Julian Elischer To: Eivind Eklund cc: Julian Elischer , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-sys@FreeBSD.ORG Subject: Re: cvs commit: src/sys/netinet ip_fw.c In-Reply-To: <19980422155133.57092@follo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-sys@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk If you could send your proposal.... (or I could try look it up in the archives.. when was it and what subject?) On Wed, 22 Apr 1998, Eivind Eklund wrote: > On Tue, Apr 21, 1998 at 04:31:13PM -0700, Julian Elischer wrote: > > Eivind Eklund wrote: > > > This still doesn't solve the problems with IPFW (foremost, that > > > extending the structure blow the userland interface). > > > > why? > > if you recompile it with a new structure... > > That's what I'm saying - it blow the userland interface. It means > that anything using IPFW has to track the kernel version exactly. > > > > We need a new interface - I proposed an interface to -hackers some > > > time back, and got exactly NO response :-( > > > > > > > I agree on the new interface, but the limit on the structure size > > was that each file rule had to fit into an mbuf. > > this removes that limit and should look identical to the user > > land program. > > I was considering using IOCTLS instead.. > > what was your suggestion? > > In-kernel object building. Basically, first an object is created in > the kernel with default values, and then the userland side send a set > of 'change field' requests, and at 'commit' the object is added to the > firewall chain. I also added support for multiple firewall chains to > the interface, 'just in case'. > > Copies of the original, detailed mail (200 lines) is available on > request (or I can re-send it to hackers). > > Eivind. >