Date: Thu, 15 Jul 1999 14:55:32 -0400 From: "Allen Smith" <easmith@beatrice.rutgers.edu> To: Darren Reed <darrenr@reed.wattle.id.au> Cc: freebsd-net@freebsd.org, ipfilter@coombs.anu.edu.au Subject: Re: IPFilter improvement: Kernel hacker's assistance needed Message-ID: <9907151455.ZM1457@beatrice.rutgers.edu> In-Reply-To: Darren Reed <darrenr@reed.wattle.id.au> "Re: IPFilter improvement: Kernel hacker's assistance needed" (Jul 15, 6:21am) References: <199907151022.UAA29394@avalon.reed.wattle.id.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 15, 6:21am, Darren Reed (possibly) wrote: > In some email I received from Allen Smith, sie wrote: > > > > Hi. I'm trying to add support for "keep state" with "fastroute" in the > > IPFilter code. Guido was going to be helping me with this, but he's on > > vacation until August 1st. Anyone willing to help? I've got code that > > should do it, but it keeps having kernel panics (Fatal Trap 12: page > > fault while in kernel mode) when it goes into the fr_check code. I > > suspect I'm dereferencing a null pointer or some such - not unlikely, > > since I'm not much of a C programmer (I far prefer Perl, and am not a > > professional at programming to begin with - I'm a geneticist). > > My idea on how this should work: > - implement a reference count for rules > - increase it by one each time a keep state matches it (and decrease each > time state is lost, 0'ing on a state flush) > - orphan but don't free rules if they have a > 0 reference count > - return a pointer to the rule via fr_checkstate() rather than `pass' and > assign to fr, and set pass to the value of the rule. > > How's that match up with what you're doing ? :) A different approach, but I'll try it out (for one thing, it'll enable the use by "keep state" of future options)... note that I'll also need to do this to the frags code to enable keeping frags with fastroute/to. I'm using the existing fr_ref for the reference count (with some modifications to accomodate the current group usage - I also did some changes that should enable the use of multiple heads to groups, _if_ I've figured out what fr_grp and fg_start do properly; more info on those would be very desirable). One twist in this regard is the reverse packet setup - in other words, setting things up so that packets coming in in reverse are fastrouted in the same way. You don't want to do this if the packet was originally outgoing, since in that case the reverse packets should go to the firewall machine itself (they were originally coming out of it), but you do for the ones that were originally incoming. This necessitates setting up a reverse rule, or at least enough to match the other information. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9907151455.ZM1457>