From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 18:45:15 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40CA616A41C for ; Wed, 22 Jun 2005 18:45:15 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 24A0C43D48 for ; Wed, 22 Jun 2005 18:45:14 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j5MIjEUf097571; Wed, 22 Jun 2005 11:45:14 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j5MIjDH7097570; Wed, 22 Jun 2005 11:45:13 -0700 (PDT) (envelope-from rizzo) Date: Wed, 22 Jun 2005 11:45:13 -0700 From: Luigi Rizzo To: Jeremie Le Hen Message-ID: <20050622114513.A97519@xorpc.icir.org> References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> <42B94023.3090202@suutari.iki.fi> <20050622053307.B90964@xorpc.icir.org> <42B98FA0.3030805@suutari.iki.fi> <20050622092452.A95367@xorpc.icir.org> <20050622183400.GS738@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20050622183400.GS738@obiwan.tataz.chchile.org>; from jeremie@le-hen.org on Wed, Jun 22, 2005 at 08:34:00PM +0200 Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 18:45:15 -0000 On Wed, Jun 22, 2005 at 08:34:00PM +0200, Jeremie Le Hen wrote: > Hi Luigi, > > > yes but it is a different action and you may want both types > > of rules in the same ruleset, so a sysctl is out of discussion. > > I really believe the "setnexthop" action is the best approach. > > IMHO, making the "fwd" action non-terminal (as the "count" action) i don;t understand what is the problem in defining a second action 'setnexthop' which behaves as a nonblocking 'forward'. Implementationwise you can share most of the code, it is just a matter of putting and perhaps a flag in the structure that stores the nexthop depending on the action specified on the command line. Same for printing. It does not break POLA and it lets you have both behaviours at almost no cost. maybe net.inet.ip.fw.one_pass should not exist, but now it is there and once again, we have to keep it for POLA. cheers luigi > is the best way to achieve this. When net.inet.ip.fw.one_pass is set > to 1, then it will behave like actually. When set to 0, the user > will have to explicitely use an "accept" or a "skipto" rule to stop > going through the rules, in the same way you would do it for a > "pipe" action. > > However, the main problem with this approach is that it breaks POLA. > > Regards, > -- > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org >