Re: cvs commit: src/sys/conf files options src/sys/contrib/ipfilter/netinet ip_fil.c ip_fil.h src/sys/i386/conf GENERIC LINT src/sys/netinet ip_input.c ip_output.c ip_var.h src/sys/netinet6 ip6_forward.c ip6_input.c ...

[Hiten Pandya <hmp@xxxxxxxxxxxxx>]

Jeroen Ruigrok/asmodai wrote:
> asmodai     2003/12/02 00:00:23 PST
>
> DragonFly src repository
>
>   Modified files:
>     sys/conf             files options 
>     sys/contrib/ipfilter/netinet ip_fil.c ip_fil.h 
>     sys/i386/conf        GENERIC LINT 
>     sys/netinet          ip_input.c ip_output.c ip_var.h 
>     sys/netinet6         ip6_forward.c ip6_input.c ip6_output.c 
>                          ip6_var.h 
>   Log:
>   Add PFIL_HOOKS functionality.  This allows us to plug in many firewalling
>   architectures by using/having generic hooks in the networking code.

	The reason I wasn't so hasty about adding this functionality in,
	is because it prevents the dynamic loading of packet filters
	that make use of the PFIL_HOOKS functionality.  If you see the
	freebsd-current@ mailing list, I have discussed it with many
	others including Darren himself.

	Making PFIL_HOOKS default in the kernel leads to some perf. loss
	in the general case which we don't want to happen.  One way of
	solving this problem is to create extern pfil_hook_ pointers
	which are tested for by the ip_input/ip_output code, and if the
	pointers are not NULL, then they are called; similar to the way
	it is done with the NetGraph code.

	This way, we can load the PFIL_HOOKS functionality as a module
	and also have the packet filtering work.  I do not have any
	patches for this at the moment, but this is the general idea
	that was agreed upon, but no one got around to do it.

	Anyway, nice work.  We need the manual pages though. :-)

	Regards,

	PS: I this the most up-to-date (i.e. from OpenBSD) PFIL_HOOKS?

	--
	Hiten Pandya
	hmp@xxxxxxxxxxxxx