Date: Mon, 14 Nov 2016 15:55:59 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Franco Fichtner <franco@lastsummer.de>, freebsd-current <freebsd-current@freebsd.org> Subject: Re: netpfil with if_output and ip(6)_output Message-ID: <bcee818f-f6e4-a0ff-6dcd-01687cc8b909@yandex.ru> In-Reply-To: <2456B7E6-2425-4D86-A02B-33CE1EFEB608@lastsummer.de> References: <2456B7E6-2425-4D86-A02B-33CE1EFEB608@lastsummer.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --GPavsVsIfJHIOLa3raUMLf6g1uinuUL6u Content-Type: multipart/mixed; boundary="InnDANKaMfrpofl8tDIoSGa9CPuS4IjOL"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Franco Fichtner <franco@lastsummer.de>, freebsd-current <freebsd-current@freebsd.org> Message-ID: <bcee818f-f6e4-a0ff-6dcd-01687cc8b909@yandex.ru> Subject: Re: netpfil with if_output and ip(6)_output References: <2456B7E6-2425-4D86-A02B-33CE1EFEB608@lastsummer.de> In-Reply-To: <2456B7E6-2425-4D86-A02B-33CE1EFEB608@lastsummer.de> --InnDANKaMfrpofl8tDIoSGa9CPuS4IjOL Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 14.11.2016 15:24, Franco Fichtner wrote: > I've opened a review to start removal of if_output from the > pf code with a conservative first batch, which would eventually > enable ipfw and pf redirect packets using the same PACKET_TAG_IPFORWARD= > mechanism. It was met with multiple opinions, but no agenda out > of the current situation: >=20 > https://reviews.freebsd.org/D8109 >=20 > Since the discussion went stale, I would like to pose three > questions to a wider audience: >=20 > Is there interest in keeping the netpfil framework consistent > for use with either ipfw or pf? >=20 > Is there interest in keeping the netpfil framework consistent > for use with ipfw and pf running at the same time? >=20 > Is there anyone willing to review and guide work towards > correcting these oddities? Hi, I have some thought related to your proposal. What you think if we will introduce new KPI to work with fwd_tags? With such KPI we can make fwd_tags opaque for PFIL consumers and handle tags identically in all *proto*_output() routines. For first glance I can propose the following: /* ip_var.h */ #define IP_HAS_NEXTHOP(m) ((m)->m_flags & M_IP_NEXTHOP) int ip_set_fwdtag(struct mbuf *m, struct sockaddr_in *dst, u_short ifidx); int ip_get_fwdtag(struct mbuf *m, struct sockaddr_in *dst, u_short *ifidx); void ip_flush_fwdtag(struct mbuf *m); /* ip6_var.h */ #define IP6_HAS_NEXTHOP(m) ((m)->m_flags & M_IP6_NEXTHOP) int ip6_set_fwdtag(struct mbuf *m, struct sockaddr_in6 *dst, u_short ifidx); int ip6_get_fwdtag(struct mbuf *m, struct sockaddr_in6 *dst, u_short *ifidx); void ip6_flush_fwdtag(struct mbuf *m); Since I'm not quite aware how PF handles PACKET_TAG_IPFORWARD tags, you can modify this to fully cover its needs. --=20 WBR, Andrey V. Elsukov --InnDANKaMfrpofl8tDIoSGa9CPuS4IjOL-- --GPavsVsIfJHIOLa3raUMLf6g1uinuUL6u Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEvBAEBCAAZBQJYKbRfEhxidTdjaGVyQHlhbmRleC5ydQAKCRABxeoEEMiheoGC B/0TlXfSNt1dVIyga6rJxbLBXIJYT5t1549te0gV74HtXPkJRcAi1HaK7WFiW1c+ xCJu4E9MmqQrIOIy1kH5nQqPTVyA7OijSdLfOi6USZngks7M6iQ5lGJnVJDO0N6F 0S3I0dBSzHTzk05+141D0h0K8uKRPOv//oEp3TTmTicJJ99BS31kMUuYq3kTT3R3 TuKa0INMQdO7RcoPrVEB+9GBNo+WPRr9bjgfjAZGoIo744M+yGFHiB8E1V3U437P NPFg1V1x8qfpZdAKG1VIcLKQrGJcIG6qW/LvfQVdK3vHn+B+Pz2wC2nOy3Pl2/dh NpLtGwLyP/+3sJcBw+BT7hqq =veKh -----END PGP SIGNATURE----- --GPavsVsIfJHIOLa3raUMLf6g1uinuUL6u--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bcee818f-f6e4-a0ff-6dcd-01687cc8b909>