Date: Mon, 5 May 1997 20:04:07 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: avalon@coombs.anu.edu.au (Darren Reed) Cc: archie@whistle.com, avalon@coombs.anu.edu.au, nnd@info.itfs.nsk.su, current@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: divert still broken? Message-ID: <199705060304.UAA10809@bubba.whistle.com> In-Reply-To: <199705060248.TAA19150@gatekeeper.whistle.com> from Darren Reed at "May 6, 97 12:46:30 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > - Allow rules to have the form: > > > > > > > > 1000 deny ip from any to any in via ed0 out via ed1 > > > > > > > > so you can filter routed packets by both incoming AND outgoing > > > > interface. > > > > > > can you do this such that the route is only looked up once ? Can you > > > be sure that the routing table won't change between the two lookups > > > if you can't do it with one (es. on SMP systems) ? You could possibly > > > solve this by only enabling this sort of filter on the outbound side > > > of ed1. > > > > No routing table lookup necessary; the outbound interface is determined > > already by the time ip_output() calls us. The inbound interface is kept > > in the mbuf as m_rcvif. > > So what you're (including what you mentioned about changes in your other > email) saying is that these packets can only be filtered out during the > forwarding/outbound filtering ? Right. > > > > - When a reject rule applies to an incoming TCP packet, send > > > > the appropriate TCP response packet (ie., RST) instead of an > > > > ICMP port unreachable. > > > > > > I think you want to make this user configurable and perhaps on a per-rule > > > basis. > > > > This is only with "reject" -- ie., right now it sends an ICMP unreachable. > > There's still "deny" which silently drops. > > > > > This is otherwise a rather major change in the behaviour of ipfw and > > > users may not agree with it (and they don't necessarily subscribe to > > > any freebsd mailling list either). > > > > It will be backwards compatible... does that help? > > okay, i'm lost with the "backwards compatible". are you saying you'll use > another word (instead of reject/deny), such as "reset" to indicate sending > an RST rather than some other action ? By "backwards compatible" I meant the parsing of rules by the ipfw programs, so that the semantics of rules with trailing options like "in via ed0", "via ed1 out", "in", etc. won't change. The way it is now: deny -> drop packet reject ip -> send icmp unreachable reject tcp -> send icmp unreachable The way it will be: deny -> drop packet reject ip -> send icmp unreachable reject tcp -> send tcp reset (which is more appropriate) There is a change in the type of notification the sender receives when a TCP packet is rejected... but this seems to me more like a bug fix than a "major change".. it's certainly easy *not* to do, and it's not something I particularly care about other than it being a bug. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705060304.UAA10809>