Date: Wed, 22 Jun 2005 20:34:00 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) Message-ID: <20050622183400.GS738@obiwan.tataz.chchile.org> In-Reply-To: <20050622092452.A95367@xorpc.icir.org> References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> <42B94023.3090202@suutari.iki.fi> <20050622053307.B90964@xorpc.icir.org> <42B98FA0.3030805@suutari.iki.fi> <20050622092452.A95367@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Luigi, > yes but it is a different action and you may want both types > of rules in the same ruleset, so a sysctl is out of discussion. > I really believe the "setnexthop" action is the best approach. IMHO, making the "fwd" action non-terminal (as the "count" action) is the best way to achieve this. When net.inet.ip.fw.one_pass is set to 1, then it will behave like actually. When set to 0, the user will have to explicitely use an "accept" or a "skipto" rule to stop going through the rules, in the same way you would do it for a "pipe" action. However, the main problem with this approach is that it breaks POLA. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050622183400.GS738>