Hi, All! I've tried Andrey Elsukov's ipfw "tag/tagged" patches from: http://butcher.heavennet.ru/patches/kernel/ipfw_tags/
Tested on 5.5-PRERELEASE production server with moderate load - rock stable [I've also looked through the code - patch is small, so it simply can't be any bugs there ;)]. Personally I very like the idea from original Andrey's letter about possibility to make a netgraph(4) node able to mark packets: this is a potential ability to build fast (in-kernel) level 7 firewall / traffic filter without need to fully duplicate entire TCP/IP stack in this marking node - that's ipfw's work. For example, rules can look like this: # node marks traffic as good or bad based on first packets in the flow node=300 good=1 bad=2 check-state # here most sorted traffic goes netgraph $node all from any to any # divert unmarked traffic to node deny all from any to any tagged $bad allow all from any to any tagged $good keep-state -- WBR, Vadim Goncharov _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
