cvs commit: src/sys/netinet ip_fw.h ip_fw2.c src/sbin/ipfw
ipfw.8 ipfw2.c
Andre Oppermann
andre at freebsd.org
Wed May 24 13:30:46 PDT 2006
Oleg Bulyzhin wrote:
> On Wed, May 24, 2006 at 05:22:52PM +0200, Andre Oppermann wrote:
>> Oleg Bulyzhin wrote:
>>> On Wed, May 24, 2006 at 01:09:55PM +0000, Oleg Bulyzhin wrote:
>>>> oleg 2006-05-24 13:09:55 UTC
>>>>
>>>> FreeBSD src repository
>>>>
>>>> Modified files:
>>>> sys/netinet ip_fw.h ip_fw2.c
>>>> sbin/ipfw ipfw.8 ipfw2.c
>>>> Log:
>>>> Implement internal (i.e. inside kernel) packet tagging using
>>>> mbuf_tags(9).
>>>> Since tags are kept while packet resides in kernelspace, it's possible
>>>> to
>>>> use other kernel facilities (like netgraph nodes) for altering those
>>>> tags.
>>>>
>>>> Submitted by: Andrey Elsukov <bu7cher at yandex dot ru>
>>>> Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru>
>>>> Approved by: glebius (mentor)
>>>> Idea from: OpenBSD PF
>>>> MFC after: 1 month
>>>>
>>>> Revision Changes Path
>>>> 1.188 +61 -1 src/sbin/ipfw/ipfw.8
>>>> 1.89 +72 -8 src/sbin/ipfw/ipfw2.c
>>>> 1.106 +6 -0 src/sys/netinet/ip_fw.h
>>>> 1.132 +57 -1 src/sys/netinet/ip_fw2.c
>>> Examples of ipfw rules syntax:
>>> count tag 100 ip from any to any
>>> allow untag 10 ip from any to any tagged 10
>> Does this accept the packet and untag it at the same time? Wouldn't
>> it make more sense to have [tag|untag] as its own operators like
>> [allow|deny]?
>>
>>> allow tag 200 ip from any to any not tagged 0-65535
>>>
>> --
>> Andre
>
> It was just syntax example, of course those rules are useless. Main idea
> of tags: you can alter them outside ipfw so it's possible to do
> policy routing/filtering/etc decisions outside ipfw.
I'm perfectly fine with tags. My question was just about the ipfw
rule syntax for tagging. See my email to Andrey for a more detailed
rant.
--
Andre
More information about the cvs-src
mailing list