From owner-freebsd-current Mon May 5 19:48:40 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA08916 for current-outgoing; Mon, 5 May 1997 19:48:40 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA08899; Mon, 5 May 1997 19:48:33 -0700 (PDT) Message-Id: <199705060248.TAA08899@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA178796790; Tue, 6 May 1997 12:46:30 +1000 From: Darren Reed Subject: Re: divert still broken? To: archie@whistle.com (Archie Cobbs) Date: Tue, 6 May 1997 12:46:30 +1000 (EST) Cc: avalon@coombs.anu.edu.au, archie@whistle.com, nnd@info.itfs.nsk.su, current@FreeBSD.ORG, hackers@FreeBSD.ORG In-Reply-To: <199705060046.RAA10264@bubba.whistle.com> from "Archie Cobbs" at May 5, 97 05:46:38 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-current@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from Archie Cobbs, sie said: > > > > > - Allow rules to have the form: > > > > > > 1000 deny ip from any to any in via ed0 out via ed1 > > > > > > so you can filter routed packets by both incoming AND outgoing > > > interface. > > > > can you do this such that the route is only looked up once ? Can you > > be sure that the routing table won't change between the two lookups > > if you can't do it with one (es. on SMP systems) ? You could possibly > > solve this by only enabling this sort of filter on the outbound side > > of ed1. > > No routing table lookup necessary; the outbound interface is determined > already by the time ip_output() calls us. The inbound interface is kept > in the mbuf as m_rcvif. So what you're (including what you mentioned about changes in your other email) saying is that these packets can only be filtered out during the forwarding/outbound filtering ? > > > - When a reject rule applies to an incoming TCP packet, send > > > the appropriate TCP response packet (ie., RST) instead of an > > > ICMP port unreachable. > > > > I think you want to make this user configurable and perhaps on a per-rule > > basis. > > This is only with "reject" -- ie., right now it sends an ICMP unreachable. > There's still "deny" which silently drops. > > > This is otherwise a rather major change in the behaviour of ipfw and > > users may not agree with it (and they don't necessarily subscribe to > > any freebsd mailling list either). > > It will be backwards compatible... does that help? okay, i'm lost with the "backwards compatible". are you saying you'll use another word (instead of reject/deny), such as "reset" to indicate sending an RST rather than some other action ? Darren