From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 21 21:42:45 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 716CD16A41F for ; Thu, 21 Jul 2005 21:42:45 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from smtp15.wxs.nl (smtp15.wxs.nl [195.121.6.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1178643D49 for ; Thu, 21 Jul 2005 21:42:44 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from smtp.planet.nl (ip51cc8423.speed.planet.nl [81.204.132.35]) by smtp15.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0IJZ002GTYZ786@smtp15.wxs.nl> for ipfw@freebsd.org; Thu, 21 Jul 2005 23:42:43 +0200 (CEST) Received: from Alex.lan (localhost [127.0.0.1]) by smtp.planet.nl (8.13.3/8.13.3) with ESMTP id j6LLggvF002332 for ; Thu, 21 Jul 2005 23:42:42 +0200 Received: (from akruijff@localhost) by Alex.lan (8.13.3/8.13.3/Submit) id j6LLggoE002331 for ipfw@freebsd.org; Thu, 21 Jul 2005 23:42:42 +0200 Content-return: prohibited Date: Thu, 21 Jul 2005 23:42:42 +0200 From: Alex de Kruijff To: ipfw@freebsd.org Message-id: <20050721214242.GA2201@Alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i X-Authentication-warning: Alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f Cc: Subject: error in man ipfw / divert X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 21:42:45 -0000 Hi, I was wrondering is man ipfw wrong here? man ipfw tells: divert port - Divert packets that match this rule to the divert(4) socket bound to port port. The search terminates. man divert tells: Packets written into a divert socket (using sendto(2)) re-enter the packet filter at the rule number following the tag given in the port part of the socket address, which is usually already set at the rule number that caused the diversion (not the next rule if there are several at the same number). If the 'tag' is altered to indicate an alternative re-entry point, care should be taken to avoid loops, where the same packet is diverted more than once at the same rule. I think man ipfw should say something like: when nothing is listening on the port then the search terminates when something is listening on the port then the search continues from the same rule. -- Alex