> I was just having a quick peek at how ipfw works in FreeBSD-4 for IPv6,
> to see what's required for IP-Filter (hoping for a clean interface)
> and the response is "sigh". The old ipfw mechanism needs to be
> abandoned, IMHO.
can you comment a bit more ? I am a bit unclear on what
exactly is thay you don't find appropriate in ipfw etc.
If you have an URL for a pfil(9) manpage i would appreciate it.
Some comments:
The issue of one vs. multiple lists (per direction, interface,
protocol, you name it) has been discussed some time ago. For sure
multiple lists are a (minor, given that we can start the ipfw lists
with a few of "skipto") performance improvement over a single one,
at the possible price of having some duplication in writing filters
and even defining how many lists are appropriate.
> The advantage to using pfil(9) from NetBSD (unless someone feels
> the distinct need to roll their own code to do something the same)
> is it provides a clean interface rather than requiring people to
> patch things like ip6_input.c, etc.
I think that if you want to do tricks such as
forward, divert, dummynet and the like, it is unavoidable to
have to hook in the middle of ${proto}_{input|output}.c, as
you end up doing protocol-specific things...
cheers
luigi
-----------------------------------+-------------------------------------
Luigi RIZZO, [EMAIL PROTECTED] . Dip. di Ing. dell'Informazione
http://www.iet.unipi.it/~luigi/ . Universita` di Pisa
TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy)
Mobile +39-347-0373137
-----------------------------------+-------------------------------------
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
