Initial steps toward a hardware-assisted (switch VLAN) firewall implementation.
This checkin adds the necessary NS and client-side changes. You get such a firewall by creating a firewall object and doing: $fw set-type ipfw2-vlan In addition to the usual firewall setup, it sets the firewall node command line to boot "/kernel.fw" which is an IPFW2-enabled kernel with a custom bridge hack. The client-side setup for firewalled nodes is easy: do nothing. The client-side setup for the firewall is more involved, using vlan devices and bridging and all sorts of geeky magic. Note finally that I don't yet have a decent set of default rules for anything other than a completely open firewall. The rules might be slightly different than for the "software" firewall since they are applied at layer2 (and we want them just to be applied at layer2 and not multiple times)