From 499297c74cc00692bc00ddab18c1e67dcbfaf0a9 Mon Sep 17 00:00:00 2001 From: oleg Date: Wed, 24 May 2006 13:09:55 +0000 Subject: Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9). Since tags are kept while packet resides in kernelspace, it's possible to use other kernel facilities (like netgraph nodes) for altering those tags. Submitted by: Andrey Elsukov Submitted by: Vadim Goncharov Approved by: glebius (mentor) Idea from: OpenBSD PF MFC after: 1 month --- sys/netinet/ip_fw.h | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'sys/netinet/ip_fw.h') diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 0893e46..14ca1d5 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -157,6 +157,9 @@ enum ipfw_opcodes { /* arguments (4 byte each) */ O_UNREACH6, /* arg1=icmpv6 code arg (deny) */ + O_TAG, /* arg1=tag number */ + O_TAGGED, /* arg1=tag number */ + O_LAST_OPCODE /* not an opcode! */ }; @@ -215,6 +218,8 @@ typedef struct _ipfw_insn { /* template for instructions */ */ #define F_INSN_SIZE(t) ((sizeof (t))/sizeof(u_int32_t)) +#define MTAG_IPFW 1148380143 /* IPFW-tagged cookie */ + /* * This is used to store an array of 16-bit entries (ports etc.) */ @@ -346,6 +351,7 @@ typedef struct _ipfw_insn_icmp6 { * + if a rule has a "log" option, then the first action * (at ACTION_PTR(r)) MUST be O_LOG * + if a rule has an "altq" option, it comes after "log" + * + if a rule has an O_TAG option, it comes after "log" and "altq" * * NOTE: we use a simple linked list of rules because we never need * to delete a rule without scanning the list. We do not use -- cgit v1.1