Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 May 2006 22:30:43 +0200
From:      Andre Oppermann <andre@freebsd.org>
To:        Oleg Bulyzhin <oleg@freebsd.org>
Cc:        cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org
Subject:   Re: cvs commit: src/sys/netinet ip_fw.h ip_fw2.c src/sbin/ipfw ipfw.8 ipfw2.c
Message-ID:  <4474C273.7030801@freebsd.org>
In-Reply-To: <20060524190726.GB62483@lath.rinet.ru>
References:  <200605241309.k4OD9tex003002@repoman.freebsd.org> <20060524131602.GA57006@lath.rinet.ru> <44747A4C.9090800@freebsd.org> <20060524190726.GB62483@lath.rinet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
Oleg Bulyzhin wrote:
> On Wed, May 24, 2006 at 05:22:52PM +0200, Andre Oppermann wrote:
>> Oleg Bulyzhin wrote:
>>> On Wed, May 24, 2006 at 01:09:55PM +0000, Oleg Bulyzhin wrote:
>>>> oleg        2006-05-24 13:09:55 UTC
>>>>
>>>>  FreeBSD src repository
>>>>
>>>>  Modified files:
>>>>    sys/netinet          ip_fw.h ip_fw2.c 
>>>>    sbin/ipfw            ipfw.8 ipfw2.c 
>>>>  Log:
>>>>  Implement internal (i.e. inside kernel) packet tagging using 
>>>>  mbuf_tags(9).
>>>>  Since tags are kept while packet resides in kernelspace, it's possible 
>>>>  to
>>>>  use other kernel facilities (like netgraph nodes) for altering those 
>>>>  tags.
>>>>  
>>>>  Submitted by:   Andrey Elsukov <bu7cher at yandex dot ru>
>>>>  Submitted by:   Vadim Goncharov <vadimnuclight at tpu dot ru>
>>>>  Approved by:    glebius (mentor)
>>>>  Idea from:      OpenBSD PF
>>>>  MFC after:      1 month
>>>>  
>>>>  Revision  Changes    Path
>>>>  1.188     +61 -1     src/sbin/ipfw/ipfw.8
>>>>  1.89      +72 -8     src/sbin/ipfw/ipfw2.c
>>>>  1.106     +6 -0      src/sys/netinet/ip_fw.h
>>>>  1.132     +57 -1     src/sys/netinet/ip_fw2.c
>>> Examples of ipfw rules syntax:
>>> 	count tag 100 ip from any to any
>>> 	allow untag 10 ip from any to any tagged 10
>> Does this accept the packet and untag it at the same time?  Wouldn't
>> it make more sense to have [tag|untag] as its own operators like
>> [allow|deny]?
>>
>>> 	allow tag 200 ip from any to any not tagged 0-65535
>>>
>> -- 
>> Andre
> 
> It was just syntax example, of course those rules are useless. Main idea 
> of tags: you can alter them outside ipfw so it's possible to do
> policy routing/filtering/etc decisions outside ipfw.

I'm perfectly fine with tags.  My question was just about the ipfw
rule syntax for tagging.  See my email to Andrey for a more detailed
rant.

-- 
Andre

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4474C273.7030801>