cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h
if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c
pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c
Luigi Rizzo
rizzo at icir.org
Thu Feb 26 07:11:24 PST 2004
On Thu, Feb 26, 2004 at 11:24:22AM +0100, Andre Oppermann wrote:
> Luigi,
>
> do you have any patches ready or in the works to make ipfw2 use the
> PFIL_HOOKS API? That would simplify ip_input() and ip_output() a
> *great* deal.
no, i will try to look and see if i can implement something of use.
But i don't think you'd save much more than the extra call to
ip_fw_chk() -- things such as 'divert' and 'forward'
greatly interact with the rest of the packet processing in ip_input()
and ip_output(). If you look at the code, calling
the firewall is a short block of code; the big offender is the
processing after the firewall returns with a non-trivial action
(especially 'forward' in ip_output()).
cheers
luigi
> --
> Andre
More information about the cvs-src
mailing list