From owner-freebsd-net@FreeBSD.ORG  Wed Jun 22 18:33:48 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B410716A41C
	for <freebsd-net@freebsd.org>; Wed, 22 Jun 2005 18:33:48 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7810343D1D
	for <freebsd-net@freebsd.org>; Wed, 22 Jun 2005 18:33:48 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org
	(vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98])
	by postfix4-1.free.fr (Postfix) with ESMTP id 6C394317D11;
	Wed, 22 Jun 2005 20:33:46 +0200 (CEST)
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
	id DCFDF405B; Wed, 22 Jun 2005 20:34:00 +0200 (CEST)
Date: Wed, 22 Jun 2005 20:34:00 +0200
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Luigi Rizzo <rizzo@icir.org>
Message-ID: <20050622183400.GS738@obiwan.tataz.chchile.org>
References: <42B7B352.8040806@suutari.iki.fi>
	<20050621170649.B82876@xorpc.icir.org>
	<42B94023.3090202@suutari.iki.fi>
	<20050622053307.B90964@xorpc.icir.org>
	<42B98FA0.3030805@suutari.iki.fi>
	<20050622092452.A95367@xorpc.icir.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050622092452.A95367@xorpc.icir.org>
User-Agent: Mutt/1.5.9i
Cc: freebsd-net@freebsd.org
Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to
	continue processing rest of rules after match ?)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2005 18:33:48 -0000

Hi Luigi,

> yes but it is a different action and you may want both types
> of rules in the same ruleset, so a sysctl is out of discussion.
> I really believe the "setnexthop" action is the best approach.

IMHO, making the "fwd" action non-terminal (as the "count" action)
is the best way to achieve this.  When net.inet.ip.fw.one_pass is set
to 1, then it will behave like actually.  When set to 0, the user
will have to explicitely use an "accept" or a "skipto" rule to stop
going through the rules, in the same way you would do it for a
"pipe" action.

However, the main problem with this approach is that it breaks POLA.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >