splitting m_flags to pkthdr.flags + m_flags
Andre Oppermann
oppermann at networx.ch
Fri Nov 2 22:29:04 UTC 2012
On 02.11.2012 18:18, Luigi Rizzo wrote:
> On Fri, Nov 02, 2012 at 09:12:23AM -0700, Juli Mallett wrote:
>> On Fri, Nov 2, 2012 at 5:54 AM, Andre Oppermann <oppermann at networx.ch>wrote:
>>
>>> On 02.11.2012 13:38, Gleb Smirnoff wrote:
>>>
>>>> #define M_SKIP_FIREWALL 0x00004000 /* skip firewall processing */
>>>>
>>>
>>> This one should become an M_PROTO overlay. It is only relevant within
>>> a protocol layer.
>>
>>
>> No, like M_PROMISC it needs to follow packets around throughout the stack,
>> and not conflict with anything else. My memory of the details is a bit
>> hazy, but ipfw2 unfortunately does need the flag to not be something that
>> could be accidentally set or cleared by another protocol layer, and the
>> flag needs to persist. Or did 8 years ago.
>
> M_SKIP_FIREWALL was introduced to make sure that packets coming
> out of a dummynet pipe were not reinjected in the firewall
> unless explicitly requested by the configuration.
Dummynet doesn't set or use M_SKIP_FIREWALL.
> I think it is also used by the ipfw stateful code so that
> probes to refresh the state of dynamic rules do not end up
> fooling the firewall itself.
Indeed.
> Besides the firewall can be invoked at multiple layers,
> so I believe it makes more sense to preserve the current behaviour
> rather than make it into a M_PROTO flag.
I've looked at the code and it all happens at the IP[46] layer.
No layer crossing going on. M_PROTO use is perfectly valid here.
--
Andre
More information about the freebsd-net
mailing list