cvs commit: src/sys/conf files options src/sys/contrib/ipfilter/netinet ip_fil.c ip_fil.h src/sys/i386/conf GENERIC LINT src/sys/netinet ip_input.c ip_output.c ip_var.h src/sys/netinet6 ip6_forward.c ip6_input.c ...
Hiten Pandya
hmp at backplane.com
Tue Dec 2 03:11:14 PST 2003
Jeroen Ruigrok/asmodai wrote:
asmodai 2003/12/02 00:00:23 PST
DragonFly src repository
Modified files:
sys/conf files options
sys/contrib/ipfilter/netinet ip_fil.c ip_fil.h
sys/i386/conf GENERIC LINT
sys/netinet ip_input.c ip_output.c ip_var.h
sys/netinet6 ip6_forward.c ip6_input.c ip6_output.c
ip6_var.h
Log:
Add PFIL_HOOKS functionality. This allows us to plug in many firewalling
architectures by using/having generic hooks in the networking code.
The reason I wasn't so hasty about adding this functionality in,
is because it prevents the dynamic loading of packet filters
that make use of the PFIL_HOOKS functionality. If you see the
freebsd-current@ mailing list, I have discussed it with many
others including Darren himself.
Making PFIL_HOOKS default in the kernel leads to some perf. loss
in the general case which we don't want to happen. One way of
solving this problem is to create extern pfil_hook_ pointers
which are tested for by the ip_input/ip_output code, and if the
pointers are not NULL, then they are called; similar to the way
it is done with the NetGraph code.
This way, we can load the PFIL_HOOKS functionality as a module
and also have the packet filtering work. I do not have any
patches for this at the moment, but this is the general idea
that was agreed upon, but no one got around to do it.
Anyway, nice work. We need the manual pages though. :-)
Regards,
PS: I this the most up-to-date (i.e. from OpenBSD) PFIL_HOOKS?
--
Hiten Pandya
hmp at xxxxxxxxxxxxx
More information about the Commits
mailing list