Date: Wed, 6 Jan 2010 12:50:43 +0100 From: Luigi Rizzo <rizzo@iet.unipi.it> To: Ermal Lu?i <eri@freebsd.org> Cc: Luigi Rizzo <luigi@freebsd.org>, src-committers@freebsd.org, svn-src-user@freebsd.org Subject: Re: svn commit: r201517 - in user/luigi/ipfw3-head/sys/netinet: . ipfw Message-ID: <20100106115043.GA6064@onelab2.iet.unipi.it> In-Reply-To: <9a542da31001051038t9f253fbo79241b11dbba9100@mail.gmail.com> References: <201001041658.o04GwFfG023749@svn.freebsd.org> <9a542da31001051006r61af058eg715c29ef0d3d2020@mail.gmail.com> <20100105182643.GA93051@onelab2.iet.unipi.it> <9a542da31001051038t9f253fbo79241b11dbba9100@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 05, 2010 at 07:38:51PM +0100, Ermal Lu?i wrote: > On Tue, Jan 5, 2010 at 7:26 PM, Luigi Rizzo <rizzo@iet.unipi.it> wrote: ... > > I was not aware of pf support -- in fact, i wonder how divert could work > > without ipfw because the function pointer ip_divert_ptr at the moment > > is defined in ip_fw_pfil.c . > > > > There are in fact, I believe, two things that enforce the dependency: > > 1. the ip_divert_ptr above. We should move it elsewhere, in the > > standard ip_* files; > > > > 2. the tag that is attached to the packet to record the reinject cookie > > (I have recently redefined it as MTAG_IPFW_RULE because i was > > not aware of the pf(4) support -- i need to revert/fix this if > > we want divert and pf cooperation (though note that I tried to > > have the same mtag format for all reinjected packets -- dummynet, > > divert, netgraph, ... so once we fix it for one application it > > should work for all with no special code). > > > > cheers > > luigi > > > > Check it out here > http://svn.freebsd.org/viewvc/base/user/eri/pf45/head/ > > <http://svn.freebsd.org/viewvc/base/user/eri/pf45/head/>The divert support > with the pointer moving is commit 198045 for checking on how i have done in > that branch. If you find a better solution go ahead and i will update the > referenced pf branch as well. very good. moving ip_divert_ptr to ip_input or some other global place is trivial. The other change required is to move the MTAG_IPFW_RULE (and struct ipfw_rule_ref) to some common header instead of the ipfw-specific headers. Renaming the struct or fields is fine. As you see, the tag contains 2 pieces of information: - a rule identifier (in ipfw it is rulenum:rule_id), which can be used for a lookup even if the configuration changes (and we cannot hold a lock or a refcount) as the packet may not come back; - a "quick reference", protected by a version number, to be used to save the cost of a lookup in case the configuration has not changed. I suppose the existing fields should be enough for pf as well, possibly changing 'slot' to uintptr_t so you can put there a pointer instead of a slot number. can you give a try at adapting pf.c to this structure while I move the ipfw_rule_ref to a common header ? cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100106115043.GA6064>