[RFC] Enabling IPFIREWALL_FORWARD in run-time
Andrey V. Elsukov
ae at FreeBSD.org
Fri Oct 19 12:18:56 UTC 2012
On 19.10.2012 16:02, Andre Oppermann wrote:>>
http://people.freebsd.org/~ae/pfil_forward.diff
>>
>> Also we have done some tests with the ixia traffic generator connected
>> via 10G network adapter. Tests have show that there is no visible
>> difference, and there is no visible performance degradation.
>>
>> Any objections?
>
> No objection as such. However I don't entirely agree with the
> naming of pfil_forward. The functionality is specific to IPFW
> and TCP, it's doing transparent interjected termination of tcp
> connections on the local host while keeping the original IP
> addresses and port numbers visible in netstat output.
>
> So it's a feature of IPFW/IP and should be fitted in there for
> sysctl name and .h files instead of pfil.
Actually it can be used not only by ipfw. We already have
net.inet.ip.forwarding and net.inet6.ip6.forwarding variables, and
placing it into net.inet.ip.fw is undesirable, because we can have
kernel without ipfw. So, i decided to choose pfil, because it could not
work without pfil.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20121019/5c10e903/attachment.sig>
More information about the freebsd-net
mailing list