From owner-freebsd-current@FreeBSD.ORG Tue Jun 22 11:48:59 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92B9816A4CE for ; Tue, 22 Jun 2004 11:48:59 +0000 (GMT) Received: from mailtoaster1.pipeline.ch (mailtoaster1.pipeline.ch [62.48.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6BA043D1F for ; Tue, 22 Jun 2004 11:48:58 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 71377 invoked from network); 22 Jun 2004 11:48:48 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by mailtoaster1.pipeline.ch (qmail-ldap-1.03) with SMTP for ; 22 Jun 2004 11:48:48 -0000 Message-ID: <40D81CA5.599AA4DB@freebsd.org> Date: Tue, 22 Jun 2004 13:48:53 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Angelo Turetta References: <40D754D5.1070805@freebsd.org> <006901c4583e$b651fe60$5a2ba8c0@lan> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: freebsd-current@freebsd.org Subject: Re: New preview patch for ipfw to pfil_hooks conversion X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2004 11:48:59 -0000 Angelo Turetta wrote: > > ----- Original Message ----- > From: "Andre Oppermann" > Sent: Monday, June 21, 2004 11:36 PM > > > This patch significantly cleans up ip_input.c and ip_output.c. > > > > The following is included in this patch: > > > > o Remove all ipfw related cruft from ip_input() and ip_output() > > o New ip_fw_pfil.c file which contains all ipfw/pfil_hooks logic > > IIRC, I had once a problem with a mixed setup where I used IPFILTER NAT & > IPFW DUMMYNET. Basically, there was an asymmetry in the order the two > filters were called, because the code in ip_input.c called IPFILTER before > entering the IPFW code, and ip_output.c did the same, while it should have > called first IPFW then IPFILTER. (beware, it might have been the opposite > WRT what was first in which function, I don't remember exactly). The new code fixes this. With ipfw using pfil_hooks the ordering will be preserved for input and output (reversed). > Does your new code take this ordering issue into account? I suppose it would > be nice to be able to control the order filters are processed: I may like > IPFW to be 'wrapping' IPFILTER (that is, called before it during input, and > after it during output), while others might prefer the opposite. And anyway, > am I right the filter list should be traversed in opposite directions during > input versus output (maybe it's already so). When you load the packet filters as kld's you can specify the order of processing yourself. For compiled in it depends which initialization function is called first. -- Andre