James Carlson wrote: > ... > >>>There may be such cases, but that's exactly what the existing "group" >>>feature in IP filter is designed to handle. It allows you to specify >>>that packets matching certain criteria are to be further processed by >>>a subset of the rules. >>> >>> >>> >>Right. And we're using "group" together with "ip-head". >> >> >>>This new "ip-head" and "ip-nat" feature does the same thing, >>> >>> >>"ip-head" does the similar thing for "head", and "ip-nat" is different. >>Please note the group feature is only available for IP Filtering rules >>today, there're no group support for IP NAT rules. So "ip-nat" is >>irrelevant with the "group" feature. >> >> > >That's perhaps a bug, but irrelevant. > >You still haven't answered what "ip-head" does that "head" doesn't >already do. > >
The difference is "ip-head" says "now go and make the packet look like it is an IP packet (move b_rptr) and process it like an IP packet in IPFilter starting with the specified group." The "head" just says go look at this set of rules next. So, we could write rules like this: pass in quick on bge0 family ether from any to any type 0x800 head 800 block in family ether from any to 80:00:00:00:00:00/1 group 800 ip-head 20 So we would have IP packets coming in on bge0 passed to group 800 where those that are not broadcast/multicast are passed off for IP checking starting with group 20. Darren
