IPFIREWALL_FORWARD

[Ian Smith]

On Thu, 11 Mar 2010, n j wrote:
 > > A loadable module requires a coherent piece of code to implement the
 > > functionality, that can be put into the module. This option
 > > scatters tiny snippets of code throughout the exisitng
 > > TCP/UDP/IP/ipfw code.
 > 
 > Is that just a matter of current implementation or is that 'scatter'
 > necessary for forward functionality?

I think what Julian's saying is that adding (ipfw-specific) forwarding 
code to that many code paths in the stack has been deemed too expensive 
to have it be costing execution time when it's not being used.

If 'the stack' was a monolithic thing that could be loaded as a module, 
then loading different builds of it may be feasible .. but it isn't :)

% grep -RHi IPFIREWALL_FORWARD /sys/

to scope the job of including it.  I've no idea how costly wrapping that 
code with sysctl tests rather than ifdefs might be - maybe worth a test? 
- but there's always going to be pressure to maximise packet flows ..

my 2 bob, Ian