cvs commit: src/sys/netinet ip_fw2.c src/sys/sys mbuf.h
Max Laier
max at love2party.net
Fri Jul 16 20:40:28 PDT 2004
On Saturday 17 July 2004 04:40, Juli Mallett wrote:
> jmallett 2004-07-17 02:40:14 UTC
>
> FreeBSD src repository
>
> Modified files:
> sys/netinet ip_fw2.c
> sys/sys mbuf.h
> Log:
> Make M_SKIP_FIREWALL a global (and semantic) flag, preventing anything
> from using M_PROTO6 and possibly shooting someone's foot, as well as
> allowing the firewall to be used in multiple passes, or with a packet
> classifier frontend, that may need to explicitly allow a certain packet.
> Presently this is handled in the ipfw_chk code as before, though I have run
> with it moved to upper layers, and possibly it should apply to ipfilter and
> pf as well, though this has not been investigated.
pf does something to the same effect by prepending a mbuf with the
"PACKET_TAG_PF_GENERATED" mbuf_tag to skip processing for its own packets. If
we can agree that the presence of M_SKIP_FIREWALL is copied to icmp error
messages I will happily replace the mbuf tag with the more general flag
(which will perform significantly better, I believe). Please tell me what you
think of this.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20040717/b27f67bf/attachment.bin
More information about the cvs-src
mailing list