On 02.11.2012 18:18, Luigi Rizzo wrote:
On Fri, Nov 02, 2012 at 09:12:23AM -0700, Juli Mallett wrote:
On Fri, Nov 2, 2012 at 5:54 AM, Andre Oppermann <opperm...@networx.ch>wrote:
On 02.11.2012 13:38, Gleb Smirnoff wrote:
#define M_SKIP_FIREWALL 0x00004000 /* skip firewall processing */
This one should become an M_PROTO overlay. It is only relevant within
a protocol layer.
No, like M_PROMISC it needs to follow packets around throughout the stack,
and not conflict with anything else. My memory of the details is a bit
hazy, but ipfw2 unfortunately does need the flag to not be something that
could be accidentally set or cleared by another protocol layer, and the
flag needs to persist. Or did 8 years ago.
M_SKIP_FIREWALL was introduced to make sure that packets coming
out of a dummynet pipe were not reinjected in the firewall
unless explicitly requested by the configuration.
Dummynet doesn't set or use M_SKIP_FIREWALL.
I think it is also used by the ipfw stateful code so that
probes to refresh the state of dynamic rules do not end up
fooling the firewall itself.
Indeed.
Besides the firewall can be invoked at multiple layers,
so I believe it makes more sense to preserve the current behaviour
rather than make it into a M_PROTO flag.
I've looked at the code and it all happens at the IP[46] layer.
No layer crossing going on. M_PROTO use is perfectly valid here.
--
Andre
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
