cvs commit: src/sys/netinet ip_fw.h ip_fw2.c src/sbin/ipfw
ipfw.8 ipfw2.c
Oleg Bulyzhin
oleg at freebsd.org
Wed May 24 12:07:34 PDT 2006
On Wed, May 24, 2006 at 05:22:52PM +0200, Andre Oppermann wrote:
> Oleg Bulyzhin wrote:
> >On Wed, May 24, 2006 at 01:09:55PM +0000, Oleg Bulyzhin wrote:
> >>oleg 2006-05-24 13:09:55 UTC
> >>
> >> FreeBSD src repository
> >>
> >> Modified files:
> >> sys/netinet ip_fw.h ip_fw2.c
> >> sbin/ipfw ipfw.8 ipfw2.c
> >> Log:
> >> Implement internal (i.e. inside kernel) packet tagging using
> >> mbuf_tags(9).
> >> Since tags are kept while packet resides in kernelspace, it's possible
> >> to
> >> use other kernel facilities (like netgraph nodes) for altering those
> >> tags.
> >>
> >> Submitted by: Andrey Elsukov <bu7cher at yandex dot ru>
> >> Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru>
> >> Approved by: glebius (mentor)
> >> Idea from: OpenBSD PF
> >> MFC after: 1 month
> >>
> >> Revision Changes Path
> >> 1.188 +61 -1 src/sbin/ipfw/ipfw.8
> >> 1.89 +72 -8 src/sbin/ipfw/ipfw2.c
> >> 1.106 +6 -0 src/sys/netinet/ip_fw.h
> >> 1.132 +57 -1 src/sys/netinet/ip_fw2.c
> >
> >Examples of ipfw rules syntax:
> > count tag 100 ip from any to any
> > allow untag 10 ip from any to any tagged 10
>
> Does this accept the packet and untag it at the same time? Wouldn't
> it make more sense to have [tag|untag] as its own operators like
> [allow|deny]?
>
> > allow tag 200 ip from any to any not tagged 0-65535
> >
>
> --
> Andre
It was just syntax example, of course those rules are useless. Main idea
of tags: you can alter them outside ipfw so it's possible to do
policy routing/filtering/etc decisions outside ipfw.
--
Oleg.
More information about the cvs-src
mailing list