On Wed, May 24, 2006 at 05:22:52PM +0200, Andre Oppermann wrote: > Oleg Bulyzhin wrote: > >On Wed, May 24, 2006 at 01:09:55PM +0000, Oleg Bulyzhin wrote: > >>oleg 2006-05-24 13:09:55 UTC > >> > >> FreeBSD src repository > >> > >> Modified files: > >> sys/netinet ip_fw.h ip_fw2.c > >> sbin/ipfw ipfw.8 ipfw2.c > >> Log: > >> Implement internal (i.e. inside kernel) packet tagging using > >> mbuf_tags(9). > >> Since tags are kept while packet resides in kernelspace, it's possible > >> to > >> use other kernel facilities (like netgraph nodes) for altering those > >> tags. > >> > >> Submitted by: Andrey Elsukov <bu7cher at yandex dot ru> > >> Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru> > >> Approved by: glebius (mentor) > >> Idea from: OpenBSD PF > >> MFC after: 1 month > >> > >> Revision Changes Path > >> 1.188 +61 -1 src/sbin/ipfw/ipfw.8 > >> 1.89 +72 -8 src/sbin/ipfw/ipfw2.c > >> 1.106 +6 -0 src/sys/netinet/ip_fw.h > >> 1.132 +57 -1 src/sys/netinet/ip_fw2.c > > > >Examples of ipfw rules syntax: > > count tag 100 ip from any to any > > allow untag 10 ip from any to any tagged 10 > > Does this accept the packet and untag it at the same time? Wouldn't > it make more sense to have [tag|untag] as its own operators like > [allow|deny]? > > > allow tag 200 ip from any to any not tagged 0-65535 > > > > -- > Andre
It was just syntax example, of course those rules are useless. Main idea of tags: you can alter them outside ipfw so it's possible to do policy routing/filtering/etc decisions outside ipfw. -- Oleg. _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "[EMAIL PROTECTED]"
