per-interface packet filters [summary]
Luigi Rizzo
rizzo at icir.org
Tue Dec 14 06:03:42 PST 2004
On Tue, Dec 14, 2004 at 01:47:35PM +0100, Andre Oppermann wrote:
...
> > Implementationwise, the kernel side is evidently trivial as the
> > original code already supports the idea of multiple chains. All
> > you need is to extend the struct ifnet with a pointer to the chain,
> > or use some other trick (e.g. going through ifindex) to quickly
> > associate a chain to the input (and possibly output) interface.
>
> Nonononononononononononononononononononononono.
andre you need to cool down a bit!
i said "use some other trick" exactly to avoid changing
the struct ifnet. All i meant to say is that we want a unique
key, possibly in a small namespace, to quickly locate the per-if
private firewall info. How the key is used is not a business of
the rest of the kernel. But of course if it is an index in a
smallish array (such as ifindex) the thing is fast and clean.
cheers
luigi
More information about the freebsd-net
mailing list