IPFW and the IP stack
Devon H.O'Dell
dodell at sitetronics.com
Thu Dec 4 06:13:29 PST 2003
I've been looking through the IP stack for shits and giggles and was
wondering why a few things are the way they are with IPFW's
implementation.
I went back through the CVSWeb stuff to check out the changes and it
appears that most of my questions are purely cosmetic issues; but I
still don't understand them.
Specifically, pretty much everything in the iphack: section relied on
IPFW being defined in the kernel configuration. Several checks went
away when COMPAT_IPFW was defaulted into the kernel, then several were
removed to make a buildable kernel without having options IPFIREWALL
defined in the kernel configuration. Throughout these changes, several
variables related to IPFW were removed from #ifdef IPFIREWALL checks.
At this point, most IPFW variables are initialized by default
(including some stuff for natd) and every call to ip_input() does a
check at if (fw_enable && IPFW_LOADED) (I believe this is true for
ip_output() as well). Why are these variables and sections compiled in
by default instead of left out if no firewall is existent in the
kernel?
Hope that doesn't sound too ambiguous :)
Kind regards,
Devon
More information about the freebsd-hackers
mailing list