svn commit: r201517 - in user/luigi/ipfw3-head/sys/netinet: . ipfw

Luigi Rizzo rizzo at iet.unipi.it
Wed Jan 6 11:42:51 UTC 2010


On Tue, Jan 05, 2010 at 07:38:51PM +0100, Ermal Lu?i wrote:
> On Tue, Jan 5, 2010 at 7:26 PM, Luigi Rizzo <rizzo at iet.unipi.it> wrote:
...
> > I was not aware of pf support -- in fact, i wonder how divert could work
> > without ipfw because the function pointer ip_divert_ptr at the moment
> > is defined in ip_fw_pfil.c .
> >
> > There are in fact, I believe, two things that enforce the dependency:
> > 1. the ip_divert_ptr above. We should move it elsewhere, in the
> >  standard ip_* files;
> >
> > 2. the tag that is attached to the packet to record the reinject cookie
> >  (I have recently redefined it as MTAG_IPFW_RULE because i was
> >  not aware of the pf(4) support -- i need to revert/fix this if
> >  we want divert and pf cooperation (though note that I tried to
> >  have the same mtag format for all reinjected packets -- dummynet,
> >  divert, netgraph, ... so once we fix it for one application it
> >  should work for all with no special code).
> >
> > cheers
> > luigi
> >
> 
> Check it out here
> http://svn.freebsd.org/viewvc/base/user/eri/pf45/head/
> 
> <http://svn.freebsd.org/viewvc/base/user/eri/pf45/head/>The divert support
> with the pointer moving is commit 198045 for checking on how i have done in
> that branch. If you find a better solution go ahead and i will update the
> referenced pf branch as well.

very good. moving ip_divert_ptr to ip_input or some other global
place is trivial. The other change required is to move the
MTAG_IPFW_RULE (and struct ipfw_rule_ref) to some common
header instead of the ipfw-specific headers. Renaming the
struct or fields is fine.
As you see, the tag contains 2 pieces of information:
- a rule identifier (in ipfw it is rulenum:rule_id), which can
  be used for a lookup even if the configuration changes
  (and we cannot hold a lock or a refcount) as the packet may not
  come back;
- a "quick reference", protected by a version number, to be used
  to save the cost of a lookup in case the configuration has not changed.

I suppose the existing fields should be enough for pf as well,
possibly changing 'slot' to uintptr_t so you can put there a
pointer instead of a slot number.

can you give a try at adapting pf.c to this structure while I
move the ipfw_rule_ref to a common header ?

cheers
luigi


More information about the svn-src-user mailing list