Oleg Bulyzhin wrote:
> On Wed, May 24, 2006 at 01:09:55PM +0000, Oleg Bulyzhin wrote:
>> oleg 2006-05-24 13:09:55 UTC
>>
>> FreeBSD src repository
>>
>> Modified files:
>> sys/netinet ip_fw.h ip_fw2.c
>> sbin/ipfw ipfw.8 ipfw2.c
>> Log:
>> Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9).
>> Since tags are kept while packet resides in kernelspace, it's possible to
>> use other kernel facilities (like netgraph nodes) for altering those tags.
>>
>> Submitted by: Andrey Elsukov <bu7cher at yandex dot ru>
>> Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru>
>> Approved by: glebius (mentor)
>> Idea from: OpenBSD PF
>> MFC after: 1 month
>>
>> Revision Changes Path
>> 1.188 +61 -1 src/sbin/ipfw/ipfw.8
>> 1.89 +72 -8 src/sbin/ipfw/ipfw2.c
>> 1.106 +6 -0 src/sys/netinet/ip_fw.h
>> 1.132 +57 -1 src/sys/netinet/ip_fw2.c
>
> Examples of ipfw rules syntax:
> count tag 100 ip from any to any
> allow untag 10 ip from any to any tagged 10
Does this accept the packet and untag it at the same time? Wouldn't
it make more sense to have [tag|untag] as its own operators like
[allow|deny]?
> allow tag 200 ip from any to any not tagged 0-65535
>
--
Andre