[patch] ipfw_nat as a kld module
vadim_nuclight at mail.ru
Fri Feb 29 14:37:33 UTC 2008
Hi Paolo Pisati!
>> * struct ip_fw_chain moved to .h and no longer static, is this good?
>> I suggest to move into it's own static chain in module, see next
> the symbol is used outside it's originating file
Is it needed if LIST_HEAD will be in its own module?
>> * Instead of returning IP_FW_NAT function is called immediately from
>> ipfw_chk(). This inconsistent with other modules of this sort, like divert
>> and dummynet, where ipfw_chk() simply returns value and cookie to
>> ipfw_check_*() functions in _pfil.c. If it is done like that, ip_fw2.c
>> is dependent on modules in minimal way, as many of structures and code
>> as possible should be moved to modules. This allows to change module
>> without recompiling main ipfw - for example, your lookup_nat() and
>> LIST_HEAD from ip_fw_chain could reside entirely in module - then it would
>> be possible to easily switch from LIST to hash of some kind (imagine 500
>> NAT instances). And so on.
> that's something i thought about, but i didn't see any tangible improvement
> to this modification, cause part of ipfw_nat would still be called from
> ipfw2.c (see ipfw_ctl).
This could be fixed, too, as is done with dummynet, which is also configured
via ipfw(8). As it is HEAD, ABI can be broken and this will not be done via
> Anyway, i'll fix a couple of nits and commit as it is.
Why not to fix more?..
WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight at mail.ru
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
More information about the freebsd-ipfw