addition to ipfw..
Julian Elischer
julian at elischer.org
Sat Dec 16 20:58:00 PST 2006
Andre Oppermann wrote:
> Max Laier wrote:
>> I don't like the implementation for this reason. It feels hackish to
>> me. What is the reason that you didn't duplicate the ethernet header
>> approach in ip_fw_pfil.c? Speed? Did you measure? It is certainly
>> easier to properly strip off the vlan header in the pfil hook code and
>> reattach it when done (or trust the hardware to do it - if M_VLANTAG
>> was set in the first place).
>>
>> As an aside, I agree that the mtod mania isn't that great either and
>> we should probably do away with it. But that's orthogonal to the vlan
>> handling - I just don't like that to be pulled into *IP*fw. This
>> might just be me, however.
>
> IMO we should split IPFW into two parts (at least logically), one for
> *IP* firewalling, as you say, and one for Ethernet firewalling. With
> different not-intermixed rulesets. /sbin/ipfw could get a hardlink to
> /sbin/efw to do the ethernet rules display and manipulation. Note that
> this is a different thing from the etherbridge stuff where a layer 2
> frame is inspected and turned temporarily into a layer 3 IP packet for
> inspection on the IP layer.
which is what this is for.. I'm inspecting IP packets as they are
bridged even if they are in vlans.
>
More information about the freebsd-net
mailing list