Date: Tue, 20 Jul 2004 03:42:40 +0200 From: Max Laier <max@love2party.net> To: Darren Reed <darrenr@hub.freebsd.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw2.c src/sys/sys mbuf.h Message-ID: <200407200342.47359.max@love2party.net> In-Reply-To: <20040720010905.GB63588@hub.freebsd.org> References: <200407170240.i6H2eEHO021683@repoman.freebsd.org> <200407170538.14572.max@love2party.net> <20040720010905.GB63588@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_XiH/ASio7LwAFSZ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 20 July 2004 03:09, Darren Reed wrote: > On Sat, Jul 17, 2004 at 05:38:07AM +0200, Max Laier wrote: > > On Saturday 17 July 2004 04:40, Juli Mallett wrote: > > > Log: > > > Make M_SKIP_FIREWALL a global (and semantic) flag, preventing > > > anything from using M_PROTO6 and possibly shooting someone's foot, as > > > well as allowing the firewall to be used in multiple passes, or with a > > > packet classifier frontend, that may need to explicitly allow a certa= in > > > packet. Presently this is handled in the ipfw_chk code as before, > > > though I have run with it moved to upper layers, and possibly it shou= ld > > > apply to ipfilter and pf as well, though this has not been > > > investigated. > > > > pf does something to the same effect by prepending a mbuf with the > > "PACKET_TAG_PF_GENERATED" mbuf_tag to skip processing for its own > > packets. If we can agree that the presence of M_SKIP_FIREWALL is copied > > to icmp error messages I will happily replace the mbuf tag with the more > > general flag (which will perform significantly better, I believe). Plea= se > > tell me what you think of this. > > Hmmm...personally, I think it is better if firewall packages only ignore > what they've generated themselves. > > If you're using multiple ones together, you may wish to use one as a gap > filler that is able to manage the "output" of another. That is one of the reasons I do not agree with Juli to handle M_SKIP_FIREWA= LL=20 in the upper-layer. Every packet filter should still have to option to say,= =20 "Okay, want me to skip? ... I don't care" (because the admin did configure = me=20 this way). Still it is sensible to have a global way to do it in order to=20 allow things (in other parts of the kernel) that are hard to describe by=20 firewall rules. Moreover, nothing prevents ipfilter from adding more magic = to=20 the mbuf in order to identify it as it's own (e.g. mbuf_tag), but now you=20 have the additional benefit that you can *hint* the others that this is=20 something that they *should*(!=3D must) not molest. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-02=_XiH/ASio7LwAFSZ Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBA/HiXXyyEoT62BG0RAtF0AJwME7p5RA/tl3WGFyFcieUilmEhlQCeM3Ji urMf91v5B0uWvLboNRE+9yg= =g+5t -----END PGP SIGNATURE----- --Boundary-02=_XiH/ASio7LwAFSZ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200407200342.47359.max>