addition to ipfw..
Andre Oppermann
andre at freebsd.org
Sat Dec 16 01:15:22 PST 2006
Max Laier wrote:
> I don't like the implementation for this reason. It feels hackish to me.
> What is the reason that you didn't duplicate the ethernet header approach
> in ip_fw_pfil.c? Speed? Did you measure? It is certainly easier to
> properly strip off the vlan header in the pfil hook code and reattach it
> when done (or trust the hardware to do it - if M_VLANTAG was set in the
> first place).
>
> As an aside, I agree that the mtod mania isn't that great either and we
> should probably do away with it. But that's orthogonal to the vlan
> handling - I just don't like that to be pulled into *IP*fw. This might
> just be me, however.
IMO we should split IPFW into two parts (at least logically), one for
*IP* firewalling, as you say, and one for Ethernet firewalling. With
different not-intermixed rulesets. /sbin/ipfw could get a hardlink to
/sbin/efw to do the ethernet rules display and manipulation. Note that
this is a different thing from the etherbridge stuff where a layer 2
frame is inspected and turned temporarily into a layer 3 IP packet for
inspection on the IP layer.
--
Andre
More information about the freebsd-net
mailing list