Date: Sun, 17 Jan 2010 12:04:43 +0100 From: Luigi Rizzo <rizzo@iet.unipi.it> To: Hajimu UMEMOTO <ume@freebsd.org> Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, David Horn <dhorn2000@gmail.com>, freebsd-ipfw@freebsd.org Subject: Re: Unified rc.firewall ipfw me/me6 issue Message-ID: <20100117110443.GA58434@onelab2.iet.unipi.it> In-Reply-To: <ygeiqb1w299.wl%ume@mahoroba.org> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> <ygek4wmyp3j.wl%ume@mahoroba.org> <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com> <yged42c4770.wl%ume@mahoroba.org> <25ff90d61001021736p7b695197q104f4a7769b51b71@mail.gmail.com> <yge8wc5u872.wl%ume@mahoroba.org> <20100110185232.GA27907@onelab2.iet.unipi.it> <ygeiqb1w299.wl%ume@mahoroba.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 17, 2010 at 05:42:58PM +0900, Hajimu UMEMOTO wrote:
> Hi,
>
> >>>>> On Sun, 10 Jan 2010 19:52:32 +0100
> >>>>> Luigi Rizzo <rizzo@iet.unipi.it> said:
>
> rizzo> We only need one 'me' option that matches v4 and v6, because the
> rizzo> other two can be implemented as 'ip4 me' and 'ip6 me' at no extra
> rizzo> cost (the code for 'me' only scans the list corresponding to the
> rizzo> actual address family of the packet). I would actually vote for
> rizzo> removing the 'me6' microinstruction from the kernel, and implement
> rizzo> it in /sbin/ipfw by generating 'ip6 me'.
>
> rizzo> Feel free to commit the change yourself.
>
> Thank you. I've committed 1st patch and 3rd patch.
> I think it is better removing the 'me6' microinstruction from the
> kernel, and implement it in /sbin/ipfw by generating 'ip6 me'.
> However, it seems to me that /sbin/ipfw is not designed to generate
> two microinstructions (ip6 me) per one 'me6' easily.
Indeed, it might be useful to insert, at the beginning of function
ipfw_add, a small preprocessing step that translates all instances
of 'me6' into 'ip6 me' and then proceed with the current parsing.
While doing that, one could even NULL-terminate the array av[] so
we don't need to carry both ac and av throught the code.
Something like
new_av = safe_calloc(ac*2 + 1, sizeof(char *);
for (src = dst = 0; src < ac; src++) {
if (!strcmp(av[src], "me6")) {
new_av[dst++] = "ip6";
new_av[dst++] = "me";
} else {
new_av[dst++] = av[src];
}
}
new_av[dst++] = NULL;
av = new_av;
ac = dst;
should do the job. Replacing the tests for 'ac > 0' and ac>1
is straightforward though it touches a large number of lines
(most of the usage is in the 'NEED1' macro.
cheers
luigi
> Sincerely,
>
> --
> Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
> ume@mahoroba.org ume@{,jp.}FreeBSD.org
> http://www.imasy.org/~ume/
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100117110443.GA58434>