Date: Sat, 16 Dec 2006 20:57:58 -0800 From: Julian Elischer <julian@elischer.org> To: Andre Oppermann <andre@freebsd.org> Cc: Max Laier <max@love2party.net>, freebsd-net@freebsd.org Subject: Re: addition to ipfw.. Message-ID: <4584CE56.5070606@elischer.org> In-Reply-To: <4583B919.8030008@freebsd.org> References: <457DCD47.5090004@elischer.org> <200612120045.41425.max@love2party.net> <4583119B.20608@elischer.org> <200612160446.02644.max@love2party.net> <4583B919.8030008@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Andre Oppermann wrote: > Max Laier wrote: >> I don't like the implementation for this reason. It feels hackish to >> me. What is the reason that you didn't duplicate the ethernet header >> approach in ip_fw_pfil.c? Speed? Did you measure? It is certainly >> easier to properly strip off the vlan header in the pfil hook code and >> reattach it when done (or trust the hardware to do it - if M_VLANTAG >> was set in the first place). >> >> As an aside, I agree that the mtod mania isn't that great either and >> we should probably do away with it. But that's orthogonal to the vlan >> handling - I just don't like that to be pulled into *IP*fw. This >> might just be me, however. > > IMO we should split IPFW into two parts (at least logically), one for > *IP* firewalling, as you say, and one for Ethernet firewalling. With > different not-intermixed rulesets. /sbin/ipfw could get a hardlink to > /sbin/efw to do the ethernet rules display and manipulation. Note that > this is a different thing from the etherbridge stuff where a layer 2 > frame is inspected and turned temporarily into a layer 3 IP packet for > inspection on the IP layer. which is what this is for.. I'm inspecting IP packets as they are bridged even if they are in vlans. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4584CE56.5070606>