kern/57428: a couple of new sysctl to toggle which IP firewall (IPFW or IPF) would process packets first

ale at unixmania.net ale at unixmania.net
Tue Sep 30 14:50:29 PDT 2003 

>Number:         57428
>Category:       kern
>Synopsis:       a couple of new sysctl to toggle which IP firewall (IPFW or IPF) would process packets first
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 30 14:50:26 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Alessandro de Manzano
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
n/a
>Environment:
System: FreeBSD libero.sunshine.ale 4.7-STABLE FreeBSD 4.7-STABLE #6: Mon Oct 14 10:22:28 CEST 2002 root at libero.sunshine.ale:/usr/obj/usr/src/sys/LIBERO i386


	
>Description:
	Sometimes in my job as netadmin I found possibility to choose
	which IP firewall, among IPFW(2) and IPFilter, would process packets
	first would be a very useful thing. Think about complex firewall
	rules where a single IP firewall is not enough because of very good
	NAT capabilities of IPF and/or fine bandwidth control of IPFW.
	By default FreeBSD kernel process IPFilter hooks before IPFW ones.
	The attached patch, while style(9)-istically absolutely horrible ;),
	allow toggle such default for both input and output packets.
	Few days of test on a moderately load home server said it seems
	to work as expected, but it defintely need more testing.

	
>How-To-Repeat:
	
>Fix:

	

begin 644 ippatches.tgz
M'XL(`##V>3\``^U6_4_C-ACFU_:O>.]. at M*D;9Q^!,I=!>-CJ\8`'4RG:9JB
MD#@7JVD2V2X=VMW_OM=.2DN!P4UBTR8_4EO7?NV\?OSF><P*GV7%3+:+0(;)
MQJO`(8XSZ/4V',<A7I^L_CJZ[0XV',_K#KJ>ZWG83URG-]@`YW72N8^9D`$'
MV`A2^I=QSXW_1]%JM:##\UQVV*(2PMI/>0:7M`#8`;(S[`V&?0=<Q^G6+<N"
M)^)VAZX[=`=EW/X^M,CNP!Z`I7Z(`_O[=5#89(60-$AE8H-CP]NWVWMU>$>S
MB,5UJ%MX&)*%P#)98T4\QR?Y,>-"P@=P]NK6Y2^7AU>G_OCLJN%G5.*P^BIL
M.!\?^0<_7YW;<&^:#1A^<GKPO?_QDUVW:IMKHXL,+'PV=)IPPCB=!VD*29Y/
M!#0[=;5=G!(F$U]"<_FGD'Q/;[/7VU7;[/6[MJ=W68,F'"8TG`"+84YA'F02
M9`ZX;#X'F3`!11!.J.Z\IE#P/*1"T*A=S<TSP2+*@2TBKH-(K97EL at SIX$[P
M?V.-(:1H&_[`"#46<TP3DRC*KIJ0?!;*VO1Z%M>:4X)\3I'X<@=]?5"]`5GL
MH%;C5,YXMJ?:K%#!,H\:4]4 at -I1K(3/05*=7^XKY?%T\=^[3++A.*6QNPOCB
MY)-_>GYP='Q4I=%IJF_<Y5AQLW6#FZ,T at SCG\X!'-(*8YU,DB4(^DUADH*BP
M54=6YKKKJ5S[3M<F_2K99:Z81!$(,7R4GS<5/U;M(4'8]SA#EAY2\8WF<D9#
ME5R2TLR&:6LT]8N)3"+>YN$-BW51;4[)-GSY`F_P5Z]PEZ1>[AE&,::B%/>D
M&4/"+LHR@;R0#"L$@BRRJZJ`B`J)KT*D>(29L.LO?_^QHDNF7]$`GM%_=T"<
MA?YW';>O]-_M$J/__P3NZ7]5"0^$G0P=]YX!/!'8\X:NLW2`OJO?5;>2E7<L
M"]-91.&]N!4=D2L-;">CQP=N`O[(F-)*U6VM3;D5H4QU_.H,-(<.B]>649T<
M\Z>J7_L4<;1/$6(3HA.M`_U=4IY5DJ`46N9B#LIMQ/S7W_;N.Y7VM=)W<-V_
MY5=W\]8,"RILKD<MC>LN1AD8>BQ*ZT4EGFV`*U32RFU8!DK;($P"U80PSR2V
M4$E`3&A*99#B5+U"0 at -E0(TYDPEHF<MC%#8I4[LD`]NY0-GBH0V1D-MMS:3G
M:"/QB+MBA2WXQ(-B"'$P6:2RA<^,(MXI<B[A_2QCTR)MCQ;AQUD8%&*6!I(.
M05D`T[D'*'0))H6[0^D#@5<&M<UVM4`UOP.KVK]R'"\P1RCY0:P9I$>4MUN>
MZ]@["X/\C"Q`E&?TQ1[9TI)NU58TO;PF:):5Y<75[:/=KJX"U[A[I>_E12+@
M^$DYGLTMNB;+/D,\C[8JRPR6LW7.NSU]%KO]GDT&9=+:3Q[XXY*CEQGD(RRM
MF"3E'"WH`SSAEBS&)BG]<<T at 5PC])H^T-)]`7*^S`U-4<\U84!0491W5:8ZT
M8%5]/#DD:"MM?:<K<\UDGJ287&N$BH95W!:^*LMM&(U@?.8?GAY<7A[X9Y<_
MC$^NME4%8>?I^?G%=P>'/YX=7V'ZZI00]U?"E^(;5U($_]L^8&!@8&!@8&!@
<8&!@8&!@8&!@8&!@8&!@8/#_P)\7JBNT`"@`````
`
end


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list