New preview patch for ipfw to pfil_hooks conversion
andre at freebsd.org
Tue Jun 22 11:48:59 GMT 2004
Angelo Turetta wrote:
> ----- Original Message -----
> From: "Andre Oppermann" <andre at freebsd.org>
> Sent: Monday, June 21, 2004 11:36 PM
> > This patch significantly cleans up ip_input.c and ip_output.c.
> > The following is included in this patch:
> > o Remove all ipfw related cruft from ip_input() and ip_output()
> > o New ip_fw_pfil.c file which contains all ipfw/pfil_hooks logic
> IIRC, I had once a problem with a mixed setup where I used IPFILTER NAT &
> IPFW DUMMYNET. Basically, there was an asymmetry in the order the two
> filters were called, because the code in ip_input.c called IPFILTER before
> entering the IPFW code, and ip_output.c did the same, while it should have
> called first IPFW then IPFILTER. (beware, it might have been the opposite
> WRT what was first in which function, I don't remember exactly).
The new code fixes this. With ipfw using pfil_hooks the ordering will
be preserved for input and output (reversed).
> Does your new code take this ordering issue into account? I suppose it would
> be nice to be able to control the order filters are processed: I may like
> IPFW to be 'wrapping' IPFILTER (that is, called before it during input, and
> after it during output), while others might prefer the opposite. And anyway,
> am I right the filter list should be traversed in opposite directions during
> input versus output (maybe it's already so).
When you load the packet filters as kld's you can specify the order of
processing yourself. For compiled in it depends which initialization
function is called first.
More information about the freebsd-current