From owner-cvs-all  Mon May 13  4:50:14 2002
Delivered-To: cvs-all@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4173C37B400; Mon, 13 May 2002 04:50:03 -0700 (PDT)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.12.3/8.12.3) with SMTP id g4DBnjb5043261;
	Mon, 13 May 2002 07:49:46 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Mon, 13 May 2002 07:49:45 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Luigi Rizzo <luigi@FreeBSD.org>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/net if_ethersubr.c src/sys/netinet         ip_dummynet.c ip_dummynet.h
In-Reply-To: <200205131037.g4DAbKq89983@freefall.freebsd.org>
Message-ID: <Pine.NEB.3.96L.1020513074822.69160p-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

Multiple rule chains would simplify this conceptually, as well as possibly
improve performance.  I'd rather see us start to move in that direction,
offering a wave at compatibility by having a "common" chain run at each
location, and specific chains run only at specific locations. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services

On Mon, 13 May 2002, Luigi Rizzo wrote:

> luigi       2002/05/13 03:37:20 PDT
> 
>   Modified files:
>     sys/net              if_ethersubr.c 
>     sys/netinet          ip_dummynet.c ip_dummynet.h 
>   Log:
>   Add ipfw hooks to ether_demux() and ether_output_frame().
>   Ipfw processing of frames at layer 2 can be enabled by the sysctl variable
>   
>           net.link.ether.ipfw=1
>   
>   Consider this feature experimental, because right now, the firewall
>   is invoked in the places indicated below, and controlled by the
>   sysctl variables listed on the right.  As a consequence, a packet
>   can be filtered from 1 to 4 times depending on the path it follows,
>   which might make a ruleset a bit hard to follow.
>   
>   I will add an ipfw option to tell if we want a given rule to apply
>   to ether_demux() and ether_output_frame(), but we have run out of
>   flags in the struct ip_fw so i need to think a bit on how to implement
>   this.
>   
>                   to upper layers
>                |                       |
>                +----------->-----------+
>                ^                       V
>           [ip_input]              [ip_output]     net.inet.ip.fw.enable=1
>                |                       |
>                ^                       V
>           [ether_demux]      [ether_output_frame] net.link.ether.ipfw=1
>                |                       |
>                +->- [bdg_forward]-->---+          net.link.ether.bridge_ipfw=1
>                ^                       V
>                |                       |
>                    to devices
>   
>   Revision  Changes    Path
>   1.111     +146 -0    src/sys/net/if_ethersubr.c
>   1.46      +27 -5     src/sys/netinet/ip_dummynet.c
>   1.19      +2 -0      src/sys/netinet/ip_dummynet.h
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message