cvs commit: src/sys/netinet ip_fw2.c src/sys/sys mbuf.h
Max Laier
max at love2party.net
Mon Jul 19 18:45:04 PDT 2004
On Tuesday 20 July 2004 03:09, Darren Reed wrote:
> On Sat, Jul 17, 2004 at 05:38:07AM +0200, Max Laier wrote:
> > On Saturday 17 July 2004 04:40, Juli Mallett wrote:
> > > Log:
> > > Make M_SKIP_FIREWALL a global (and semantic) flag, preventing
> > > anything from using M_PROTO6 and possibly shooting someone's foot, as
> > > well as allowing the firewall to be used in multiple passes, or with a
> > > packet classifier frontend, that may need to explicitly allow a certain
> > > packet. Presently this is handled in the ipfw_chk code as before,
> > > though I have run with it moved to upper layers, and possibly it should
> > > apply to ipfilter and pf as well, though this has not been
> > > investigated.
> >
> > pf does something to the same effect by prepending a mbuf with the
> > "PACKET_TAG_PF_GENERATED" mbuf_tag to skip processing for its own
> > packets. If we can agree that the presence of M_SKIP_FIREWALL is copied
> > to icmp error messages I will happily replace the mbuf tag with the more
> > general flag (which will perform significantly better, I believe). Please
> > tell me what you think of this.
>
> Hmmm...personally, I think it is better if firewall packages only ignore
> what they've generated themselves.
>
> If you're using multiple ones together, you may wish to use one as a gap
> filler that is able to manage the "output" of another.
That is one of the reasons I do not agree with Juli to handle M_SKIP_FIREWALL
in the upper-layer. Every packet filter should still have to option to say,
"Okay, want me to skip? ... I don't care" (because the admin did configure me
this way). Still it is sensible to have a global way to do it in order to
allow things (in other parts of the kernel) that are hard to describe by
firewall rules. Moreover, nothing prevents ipfilter from adding more magic to
the mbuf in order to identify it as it's own (e.g. mbuf_tag), but now you
have the additional benefit that you can *hint* the others that this is
something that they *should*(!= must) not molest.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/cvs-all/attachments/20040720/57d5b588/attachment.bin
More information about the cvs-all
mailing list