[RFC] Enabling IPFIREWALL_FORWARD in run-time
Andre Oppermann
oppermann at networx.ch
Fri Oct 19 14:05:50 UTC 2012
On 19.10.2012 14:18, Andrey V. Elsukov wrote:
> On 19.10.2012 16:02, Andre Oppermann wrote:>>
> http://people.freebsd.org/~ae/pfil_forward.diff
>>>
>>> Also we have done some tests with the ixia traffic generator connected
>>> via 10G network adapter. Tests have show that there is no visible
>>> difference, and there is no visible performance degradation.
>>>
>>> Any objections?
>>
>> No objection as such. However I don't entirely agree with the
>> naming of pfil_forward. The functionality is specific to IPFW
>> and TCP, it's doing transparent interjected termination of tcp
>> connections on the local host while keeping the original IP
>> addresses and port numbers visible in netstat output.
>>
>> So it's a feature of IPFW/IP and should be fitted in there for
>> sysctl name and .h files instead of pfil.
>
> Actually it can be used not only by ipfw. We already have
> net.inet.ip.forwarding and net.inet6.ip6.forwarding variables, and
> placing it into net.inet.ip.fw is undesirable, because we can have
> kernel without ipfw. So, i decided to choose pfil, because it could not
> work without pfil.
Again, it's not a property of pfil. It's a property of IP and it
should live there from a configuration point of view. Other firewalls
than ipfw don't make use of it.
You could rename it to transparent connection proxy or some such.
--
Andre
More information about the freebsd-net
mailing list