Updated ipfw to pfil_hooks patch

Andre Oppermann andre at freebsd.org
Fri Aug 13 14:48:58 PDT 2004

I've put a fresh diff of my current work of converting ipfw to use the
pfil_hooks API to grab its fresh packet food.


The code is approaching finalization but is not yet there.  No need for
syntactic nitpicking yet.

State of the diff:

  o Normal IPFW packet filter firewalling works fine - STABLE
  o IPDIVERT works fine - STABLE
  o DUMMYNET works fine - STABLE
  o IPFORWARD works for forwarding to local sockets on the ip_input and ip_output
    path' - TESTING
  o IPFORWARD works for forwarding to remote addresses only on the ip_output path
  o Layer 2 IPFW for ethernet in/out and bridging does not work in the patch

What remains to be done:

  o General code polishing around the core functions which are already cleaned up
  o Undo the removal of the Layer2 and bridge hooks and continue to invoke IPFW the
    old way for the moment (does not hurt)
  o Fix IPFORWARD to remote to work on ip_input path too
  o Undo the move of all IP options functions to their own source file
  o Make IPDIVERT a loadable kernel module (later)

My goal is to get this stuff into 5.3R before the code freeze.

Anyone wanting to give the patch a try, feel free to do so and report back the
problems or success stories!  (Except for Layer2/bridging IPFW which does not work
in the above patch).


More information about the freebsd-current mailing list