From owner-freebsd-net@FreeBSD.ORG  Tue Dec 14 14:03:42 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 13FBB16A4D9; Tue, 14 Dec 2004 14:03:42 +0000 (GMT)
Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id A312943D1D; Tue, 14 Dec 2004 14:03:41 +0000 (GMT)
	(envelope-from rizzo@icir.org)
Received: from xorpc.icir.org (localhost [127.0.0.1])
	by xorpc.icir.org (8.12.11/8.12.8) with ESMTP id iBEE3fiD077817;
	Tue, 14 Dec 2004 06:03:41 -0800 (PST)
	(envelope-from rizzo@xorpc.icir.org)
Received: (from rizzo@localhost)
	by xorpc.icir.org (8.12.11/8.12.3/Submit) id iBEE3fiC077816;
	Tue, 14 Dec 2004 06:03:41 -0800 (PST)
	(envelope-from rizzo)
Date: Tue, 14 Dec 2004 06:03:41 -0800
From: Luigi Rizzo <rizzo@icir.org>
To: Andre Oppermann <andre@freebsd.org>
Message-ID: <20041214060341.A77720@xorpc.icir.org>
References: <20041213124051.GB32719@cell.sick.ru>
	<20041214085123.GB42820@cell.sick.ru> <20041214015603.A75019@xorpc.icir.org>
	<41BEE0E7.BD2316EB@freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <41BEE0E7.BD2316EB@freebsd.org>;
	from andre@freebsd.org on Tue, Dec 14, 2004 at 01:47:35PM +0100
cc: Max Laier <max@love2party.net>
cc: freebsd-net@freebsd.org
Subject: Re: per-interface packet filters [summary]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2004 14:03:42 -0000

On Tue, Dec 14, 2004 at 01:47:35PM +0100, Andre Oppermann wrote:
...
> > Implementationwise, the kernel side is evidently trivial as the
> > original code already supports the idea of multiple chains.  All
> > you need is to extend the struct ifnet with a pointer to the chain,
> > or use some other trick (e.g. going through ifindex) to quickly
> > associate a chain to the input (and possibly output) interface.
> 
> Nonononononononononononononononononononononono.

andre you need to cool down a bit!

i said "use some other trick" exactly to avoid changing
the struct ifnet. All i meant to say is that we want a unique
key, possibly in a small namespace, to quickly locate the per-if
private firewall info. How the key is used is not a business of
the rest of the kernel. But of course if it is an index in a
smallish array (such as ifindex) the thing is fast and clean.

	cheers
	luigi