Date: Mon, 5 May 1997 17:46:38 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: avalon@coombs.anu.edu.au (Darren Reed) Cc: archie@whistle.com, nnd@info.itfs.nsk.su, current@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: divert still broken? Message-ID: <199705060046.RAA10264@bubba.whistle.com> In-Reply-To: <199705060040.RAA16456@gatekeeper.whistle.com> from Darren Reed at "May 6, 97 10:38:59 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> > - Allow rules to have the form: > > > > 1000 deny ip from any to any in via ed0 out via ed1 > > > > so you can filter routed packets by both incoming AND outgoing > > interface. > > can you do this such that the route is only looked up once ? Can you > be sure that the routing table won't change between the two lookups > if you can't do it with one (es. on SMP systems) ? You could possibly > solve this by only enabling this sort of filter on the outbound side > of ed1. No routing table lookup necessary; the outbound interface is determined already by the time ip_output() calls us. The inbound interface is kept in the mbuf as m_rcvif. > > - When a reject rule applies to an incoming TCP packet, send > > the appropriate TCP response packet (ie., RST) instead of an > > ICMP port unreachable. > > I think you want to make this user configurable and perhaps on a per-rule > basis. This is only with "reject" -- ie., right now it sends an ICMP unreachable. There's still "deny" which silently drops. > This is otherwise a rather major change in the behaviour of ipfw and > users may not agree with it (and they don't necessarily subscribe to > any freebsd mailling list either). It will be backwards compatible... does that help? -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705060046.RAA10264>