netpfil with if_output and ip(6)_output

Andrey V. Elsukov bu7cher at yandex.ru
Mon Nov 14 12:58:53 UTC 2016 

On 14.11.2016 15:24, Franco Fichtner wrote:
> I've opened a review to start removal of if_output from the
> pf code with a conservative first batch, which would eventually
> enable ipfw and pf redirect packets using the same PACKET_TAG_IPFORWARD
> mechanism.  It was met with multiple opinions, but no agenda out
> of the current situation:
> 
> https://reviews.freebsd.org/D8109
> 
> Since the discussion went stale, I would like to pose three
> questions to a wider audience:
> 
> Is there interest in keeping the netpfil framework consistent
> for use with either ipfw or pf?
> 
> Is there interest in keeping the netpfil framework consistent
> for use with ipfw and pf running at the same time?
> 
> Is there anyone willing to review and guide work towards
> correcting these oddities?

Hi,

I have some thought related to your proposal.
What you think if we will introduce new KPI to work with fwd_tags?
With such KPI we can make fwd_tags opaque for PFIL consumers and handle
tags identically in all *proto*_output() routines.

For first glance I can propose the following:

/* ip_var.h */
#define	IP_HAS_NEXTHOP(m)	((m)->m_flags & M_IP_NEXTHOP)
int ip_set_fwdtag(struct mbuf *m, struct sockaddr_in *dst,
    u_short ifidx);
int ip_get_fwdtag(struct mbuf *m, struct sockaddr_in *dst,
    u_short *ifidx);
void ip_flush_fwdtag(struct mbuf *m);


/* ip6_var.h */
#define	IP6_HAS_NEXTHOP(m)	((m)->m_flags & M_IP6_NEXTHOP)
int ip6_set_fwdtag(struct mbuf *m, struct sockaddr_in6 *dst,
    u_short ifidx);
int ip6_get_fwdtag(struct mbuf *m, struct sockaddr_in6 *dst,
    u_short *ifidx);
void ip6_flush_fwdtag(struct mbuf *m);

Since I'm not quite aware how PF handles PACKET_TAG_IPFORWARD tags, you
can modify this to fully cover its needs.

-- 
WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 545 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20161114/76e1d8de/attachment.sig>

More information about the freebsd-current mailing list