Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9).

Since tags are kept while packet resides in kernelspace, it's possible to
use other kernel facilities (like netgraph nodes) for altering those tags.

Submitted by:	Andrey Elsukov <bu7cher at yandex dot ru>
Submitted by:	Vadim Goncharov <vadimnuclight at tpu dot ru>
Approved by:	glebius (mentor)
Idea from:	OpenBSD PF
MFC after:	1 month

1 files changed, 6 insertions, 0 deletions

diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h
index 0893e46..14ca1d5 100644
--- a/sys/netinet/ip_fw.h
+++ b/sys/netinet/ip_fw.h
@@ -157,6 +157,9 @@ enum ipfw_opcodes {		/* arguments (4 byte each)	*/
 
 	O_UNREACH6,		/* arg1=icmpv6 code arg (deny)  */
 
+	O_TAG,   		/* arg1=tag number */
+	O_TAGGED,		/* arg1=tag number */
+
 	O_LAST_OPCODE		/* not an opcode!		*/
 };
 
@@ -215,6 +218,8 @@ typedef struct	_ipfw_insn {	/* template for instructions */
  */
 #define	F_INSN_SIZE(t)	((sizeof (t))/sizeof(u_int32_t))
 
+#define MTAG_IPFW	1148380143	/* IPFW-tagged cookie */
+
 /*
  * This is used to store an array of 16-bit entries (ports etc.)
  */
@@ -346,6 +351,7 @@ typedef struct _ipfw_insn_icmp6 {
  *  + if a rule has a "log" option, then the first action
  *	(at ACTION_PTR(r)) MUST be O_LOG
  *  + if a rule has an "altq" option, it comes after "log"
+ *  + if a rule has an O_TAG option, it comes after "log" and "altq"
  *
  * NOTE: we use a simple linked list of rules because we never need
  * 	to delete a rule without scanning the list. We do not use