Date: Wed, 7 May 1997 11:54:27 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: nnd@info.itfs.nsk.su (Nickolay N. Dudorov) Cc: hackers@FreeBSD.ORG Subject: Re: divert still broken? Message-ID: <199705071854.LAA01477@bubba.whistle.com> In-Reply-To: <5kpbbn$j4n@news.itfs.nsk.su> from "Nickolay N. Dudorov" at "May 7, 97 07:35:19 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> > Anything else? :-) > > Can it be possible to extend 'negative' comparison > logic to other filter components f.e. > > add 4032 deny all from xxx.xxx.xxx.0 to any out via not cx0 > (or not via cx0 ?) > > Currently this is possible for src and dst addresses (and there > is no more available flag bits ;-) The biggest problem I've had is that setsockopt() limits the argument to 108 bytes (which is MLEN - ie., the size of an mbuf minus the header). Right now sizeof(struct ip_fw) == 108, so there's no more room. The flags words is 16 bits and it's all used up as well. Question: would it be possible to move to an ioctl() based system instead of setsockopt()? Since kernel malloc() allocates things in powers of two, struct ip_fw could then expand up to 128 bytes without using up any more kernel memory. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705071854.LAA01477>