Andre Oppermann wrote:
Max Laier wrote:
I don't like the implementation for this reason. It feels hackish to
me. What is the reason that you didn't duplicate the ethernet header
approach in ip_fw_pfil.c? Speed? Did you measure? It is certainly
easier to properly strip off the vlan header in the pfil hook code and
reattach it when done (or trust the hardware to do it - if M_VLANTAG
was set in the first place).
As an aside, I agree that the mtod mania isn't that great either and
we should probably do away with it. But that's orthogonal to the vlan
handling - I just don't like that to be pulled into *IP*fw. This
might just be me, however.
IMO we should split IPFW into two parts (at least logically), one for
*IP* firewalling, as you say, and one for Ethernet firewalling. With
different not-intermixed rulesets. /sbin/ipfw could get a hardlink to
/sbin/efw to do the ethernet rules display and manipulation. Note that
this is a different thing from the etherbridge stuff where a layer 2
frame is inspected and turned temporarily into a layer 3 IP packet for
inspection on the IP layer.
which is what this is for.. I'm inspecting IP packets as they are
bridged even if they are in vlans.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
