[RFC] Enabling IPFIREWALL_FORWARD in run-time
Alexander V. Chernikov
melifaro at FreeBSD.org
Fri Oct 19 15:17:44 UTC 2012
On 19.10.2012 18:05, Andre Oppermann wrote:
> On 19.10.2012 14:18, Andrey V. Elsukov wrote:
>> On 19.10.2012 16:02, Andre Oppermann wrote:>>
>> http://people.freebsd.org/~ae/pfil_forward.diff
>>>>
>>>> Also we have done some tests with the ixia traffic generator connected
>>>> via 10G network adapter. Tests have show that there is no visible
>>>> difference, and there is no visible performance degradation.
>>>>
>>>> Any objections?
>>>
>>> No objection as such. However I don't entirely agree with the
>>> naming of pfil_forward. The functionality is specific to IPFW
>>> and TCP, it's doing transparent interjected termination of tcp
>>> connections on the local host while keeping the original IP
>>> addresses and port numbers visible in netstat output.
>>>
>>> So it's a feature of IPFW/IP and should be fitted in there for
>>> sysctl name and .h files instead of pfil.
>>
>> Actually it can be used not only by ipfw. We already have
>> net.inet.ip.forwarding and net.inet6.ip6.forwarding variables, and
>> placing it into net.inet.ip.fw is undesirable, because we can have
>> kernel without ipfw. So, i decided to choose pfil, because it could not
>> work without pfil.
>
> Again, it's not a property of pfil. It's a property of IP and it
Not exactly. It is currently supported in both IPv4 and IPv6.
> should live there from a configuration point of view. Other firewalls
> than ipfw don't make use of it.
>
> You could rename it to transparent connection proxy or some such.
fwd is widely used as policy-based routing, so it is not just
upper-layer TCP feature.
>
--
WBR, Alexander
More information about the freebsd-net
mailing list