Oleg Bulyzhin wrote:
On Wed, May 24, 2006 at 05:22:52PM +0200, Andre Oppermann wrote:
Oleg Bulyzhin wrote:
On Wed, May 24, 2006 at 01:09:55PM +0000, Oleg Bulyzhin wrote:
oleg 2006-05-24 13:09:55 UTC
FreeBSD src repository
Modified files:
sys/netinet ip_fw.h ip_fw2.c
sbin/ipfw ipfw.8 ipfw2.c
Log:
Implement internal (i.e. inside kernel) packet tagging using
mbuf_tags(9).
Since tags are kept while packet resides in kernelspace, it's possible
to
use other kernel facilities (like netgraph nodes) for altering those
tags.
Submitted by: Andrey Elsukov <bu7cher at yandex dot ru>
Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru>
Approved by: glebius (mentor)
Idea from: OpenBSD PF
MFC after: 1 month
Revision Changes Path
1.188 +61 -1 src/sbin/ipfw/ipfw.8
1.89 +72 -8 src/sbin/ipfw/ipfw2.c
1.106 +6 -0 src/sys/netinet/ip_fw.h
1.132 +57 -1 src/sys/netinet/ip_fw2.c
Examples of ipfw rules syntax:
count tag 100 ip from any to any
allow untag 10 ip from any to any tagged 10
Does this accept the packet and untag it at the same time? Wouldn't
it make more sense to have [tag|untag] as its own operators like
[allow|deny]?
allow tag 200 ip from any to any not tagged 0-65535
--
Andre
It was just syntax example, of course those rules are useless. Main idea
of tags: you can alter them outside ipfw so it's possible to do
policy routing/filtering/etc decisions outside ipfw.
I'm perfectly fine with tags. My question was just about the ipfw
rule syntax for tagging. See my email to Andrey for a more detailed
rant.
--
Andre
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
